I have a packet interface to another entity, not a TCP connection but I need to do SSL on this interface by following SSL over TCP. Wonder if there is a library that has the following 3 APIs on SSL. They should be self-evident and they will fit well with the packet interface (not a stream/socket interface).
ssl = createSSL();
clearText = fromSSLPipe(ssl, encryptedData, len, &outputLen);
encryptedData = toSSLPipe(ssl, cleartext, len, &outputLen);
If there is no such library, could someone give some example(s) on how to implement them?
Thanks in Advance.
SSL/TLS uses frames with a size of up to 16k. So if this is enough for you, you can simple use SSL_write (will output a single SSL frame if data <16k) and SSL_read (will read single SSL frame and decrypt it) from openssl over a TCP connection. If you need encrypted UDP you can use DTLS, which is also implemented by openssl. While the openssl library is written in C there are interfaces for lots of languages, like perl, python, ruby...
Related
I am authenticating to my radius server using EAP-TLS v1.3 protocol. As TLSv1.3 mandates, all the certificates used are Elliptic curve (secp256-r1). However, the SSL tab of Wireshark supports only RSA Keys for now.
I want to decrypt the traffic on my supplicant (peer). Is there a way that can be done? (In a somewhat similar manner to Master Shared Secret method used for web browsers).
Any other program that can help me analyze the traffic?
Thanks in advance and apologies if I am missing something here. I am using wpa_supplicant v2.9 on peer.
I have added TLS encryption to one of my C++ applications using OpenSSL.
When I look at the traffic in Wireshark, I notice that you can see what kind of data is being encrypted in the "TLSv1 Record Layer: Application Data Protocol".
I don't really want to reveal this kind of information. Is there a way to set the protocol to "unspecified" or something else ?
The "Application Data Protocol" field displayed in Wireshark is a guess based on the TCP source and destination ports, and is not carried in the TLS stream.
You can check the source code of Wireshark for yourself, it is in dissect_ssl3_record(), epan/dissectors/packet-ssl.c around line 1686.
I developed (in CPP) a unique protocol over HTTP and I use it to communicate with my server.
Now, I want to establish SSL connection over my proprietary protocol to transfer the data itself.
Can I do it using OpenSSL? I searched the web and all I found is something related with BIO, but I didn't understood how to use it for my needs..
Anyway, the best solution for me will be a way I can pass OpenSSL my proprietary send & receive functions so all the communication itself will go only through my functions.
TNX ahead :)
Use BIO pairs. You can find an example in the ssltest.c program, search the source for bio_pair. The basic idea is that you treat the OpenSSL engine as a black box.
There are four things your code has to do:
When you receive encrypted data over the connection to the other side, you have to write it to the SSL engine's encrypted BIO.
When the SSL engine wants to send encrypted data to the other side, you have to read it from the SSL engine's encrypted BIO and transport it to the other side.
When you have plaintext you want to encrypt and send, you have to write it to the SSL engine's plaintext BIO.
When the SSL engine has plaintext it has decrypted for you, you have to read it from the SSL engine's plaintext BIO.
OpenSSL acts purely as an engine following the SSL protocol and moving data between the two BIOs. It does all the protocol negotiation and operations for you, so long as you keep all four of these data streams moving.
One caution I can give you is this -- do not assume any special relationship between these things. For example, you might have some plaintext you want to encrypt and send, and when you write it to the SSL engine's plaintext BIO, the SSL engine might not be able to make forward progress until it receives some encrypted data from the other side. Treat the SSL engine as a black box and do all these four things whenever possible . Do not try to "look through" the SSL engine and, for example, expect that because you handed the SSL engine some encrypted data it will have necessarily plaintext for you. It might, but it might also need to send encrypted data to the other side.
One other caution: the SSL engine has only one state. It does not have a read state and a write state. (Search this thread for "the nightmare scenario" if you want the ugly details.) This is most likely to bite you if you use an SSL connection with multiple threads and expect it to behave just like a TCP connection (where the read and write sides are independent except in the case of a fatal error or connection close).
Second option - a protocol that has its own messages and uses HTTP to
pass them between the client and the server.
If you're using HTTP to pass your own messages, using OpenSSL for SSL/TLS would imply that you'd need to write your own HTTP library library too.
Instead, use an HTTP library that supports HTTPS (most do), via OpenSSL or not. Exchanging your custom messages on top of HTTPS should be fairly transparent and similar to using plain HTTP. You'd just need to configure HTTPS normally.
1 question about Stunnel. I would like to use Stunnel as a FIX (Financial Information eXchange) gateway for internet, to support both SSL and non-SSL connection. Is Stunnel able to do without any encryption? I just had a try with plain socket but it looked Stunnel rejected the connection saying 'invalid protocol' or something.
It's possible to use SSL/TLS without encryption using cipher suites with null encryption (e.g. TLS_RSA_WITH_NULL_SHA), which are normally disabled by default, but could be set via the ciphers option of Stunnel. However, you would still be using SSL/TLS, which isn't what you seem to be looking for.
It looks like you're more generally looking for what's usually called a TCP bouncer. You should be able to find a number of implementations around.
All,
It is possible to use IIS (or similar) to handle the ssl side of https communications. Is there something similar that can handle the ssl side of a TCP/IP message?
Basically I have a client device sending a non-http message over a TCP connection and want a server that can handle the crypto and certificate side of SSL for me and forward the plain text on to another server.
The openSSL s_server command seems correct but the documentation states "It's intended for testing purposes only" while I need something robust. Is the documentation out of date?
Thanks,
Patrick
You are after the stunnel program:
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
I don't think the documentation is out of date. "For testing purposes only" is their release from liability.
It sounds like you want an SSL tunnel. You could setup a tunnel to the SSL server, send the packets through the tunnel, and then have that server forward the result on. There are lots of tutorials on using SSH to setup tunnels over SSL.