How to implement a SSL server on Windows CE - ssl

I need to implement a server running on Windows CE 5.0 that shall communicate on a secure connection. To implement a secure connection SSL looks like a good choice.
The Windows CE 5.0 Winsock implementation allows to implement all the SLL stuff using the Winsock Secure Sockets. But the problem is that the referred site states:
SSL does not support the following Winsock functionality ... "Calls to the accept function".
How can I implement a SSL secured server when accept will not work? What other options do I have to implement a secure connection to a Windows CE 5.0 device?
Edit: My current application implementation is in C++. So I would prefer an approach that use the Windows API or a C++ library.

We ported the Mentalis Secure Socket Library to the Compact Framework for when we needed SSL. It was fairly painless, though not without its bugs.

MatrixSSL supports Windows CE:
MatrixSSLâ„¢ is an embedded SSL and TLS implementation designed for
small footprint applications and devices. Available is a fully
supported, commercial version as well as an open source version that
is available for download. MatrixSSL allows secure management of
remote devices. Several secure embedded Web servers also use MatrixSSL
for their encryption layer.
MatrixSSL has been ported to operating systems including
FreeRTOS, Bare Metal, eCos, VxWorks, uClinux, eCos, FreeRTOS, ThreadX,
WindowsCE, PocketPC, Palm, pSOS, SMX, BREW, MacOS X, Linux and
Windows.

Related

HTTPS support in WinCE6

I need to connect a WinCE6.0 device to a web based server using HTTPS.
The problem: WinCE6.0 uses WinInet v6 which supports SSL2, SSL3 and TSL1.0 None of which are supported in the current (2018) best practices due to their security flaws.
I doubt I can drop in a newer version of WinInet and expect it to run.
I had thoughts of porting CURL to WinCE.
I'm thinking this issue has already been addressed by the CE community, but I'm not seeing an available solution.
How can I get an old embedded device to securely connect to the WWW?
From GuruCE:
If you want to use TLS 1.1 and 1.2 on CE a suitable solution is to use mbedTLS library from ARM. It has a BSD-like license, so not too restrictive. Only one change to the makefiles is needed to get it to work on CE.

Is there a way to securely transmit data from Windows Mobile 6.5 over the Internet?

I have an application in C++ that needs to transmit data securely via web services to our web server.
VPN was the first choice, but out network administrator informs us that we will not support the IPSEC protocols available on Windows Mobile.
Currently we have tried implementing a SSL connection, but found we don't have the libraries for that.
Alternatively, we have been trying PocketPutty to create a SSH tunnel, but that only has a GUI interface, and we're not sure how to get that to work via programming code.
Thank you
OpenSSL supports Windows CE.
SSL 2.0 has been supported since at least CE 5.0.
SecureBlackBox is also supported.

Standard mDNS service on Windows

Does Windows (some modern flavour) have an mDNS server installed and/or running by default? If so then how does one tell it, preferably dynamically, to start/stop advertising a new service?
If there is no standard then how does one deal with the problem of conflicts trying to run multiple mDNS servers in that environment?
Basically, I want to implement a service that will run on Linux, Windows and Mac OS X and which needs to advertise its zeroconf webserver location using mDNS. On Linux I just use avahi-publish (or install a config file). I'm guessing that the answer will be straightforward for OS X. I'm struggling to find information for Windows.
Starting with Windows 10, Microsoft made strides towards a native Windows implementation of mDNS and DNS-SD.
While earlier iterations have been limited to UWP apps, a general Win32 API has been exposed from at least SDK version 10.0.18362.0 (1903/19H1, May 2019).
Note: This implementation is currently confirmed working only for 64bit build targets, there is an open issue preventing compilation for 32bit targets.
Outdated note from a previous version of this answer:
Early iterations resulted in mDNS network flooding:
Windows 10, in its default configuration, will spam its local networks
by responding to all mDNS requests with null response packets.
This issue was fixed in Windows 10 1511 (10586) and above
Last time I needed one, Apple's Bonjour Print Services for Windows was the most convenient mDNS client for Windows I could find. Only 5MB.
No, Microsoft doesn't directly support Multicast-DNS.
However, there appear to be several 3rd-party alternatives:
http://bens.me.uk/2013/multicast-dns-and-development-virtual-machines
http://en.wikipedia.org/wiki/Bonjour_%28software%29
http://www.icir.org/gregor/tools/autoconf-protocols.html
http://www.zeroconf.org/
... and ...
http://blogs.technet.com/b/networking/archive/2008/04/01/how-to-benefit-from-link-local-multicast-name-resolution.aspx
Have also successfully used C++/WinRT for dnssd discovery directly from C++ now. It appears from our perspective to be quicker and more reliable to query services and will let you easily install a watcher to get notifications when devices arrive etc. Of course, this is limited to versions of Windows 10 with support for C++/WinRT, which starts with 10.0.17134.0 (Windows 10, version 1803).
One caveat: We've noticed that it does not provide, nor recognise, a FQDN (trailing dot). So for a device that Bonjour OR Avahi would give an address of mydevice.local., Windows instead gives mydevice.local. Attempting to ping mydevice.local. under Windows 10 (1809) fails.
Windows 10 supports natively mDNS/Zeroconf, but only for modern APIs, not for Win32 applications.
If you have such an application, a third party service is required.
Source: https://social.technet.microsoft.com/Forums/en-US/8a0346de-2296-4f46-bc36-ff3fb13e283b/builtin-mdnsdnssd-zeroconf-support-in-windows-10
The short answer is to support both Avahi and Bonjour. You'll need Bonjour support to run on OSX anyway, and if a Windows user has installed iTunes they'll already be running it.
As a fallback for Windows users not running iTunes, you can compile Avahi as a library for Windows (with a bit of effort) and bundle it. This is a non-trivial bit of packaging, but the alternative is requiring your Windows users to install iTunes in order to use your application.

Connection to Hyper-V using openwsman without "basic" authentication?

I'm trying to test WS-MAN capabilities to manage multiple hypervisors (mainly ESXi and Hyper-V); in terms of Hyper-V, all samples I come across insist on first tuning the Hyper-V authentication to "basic"; does anyone know if this is a shortcoming in current OpenWSMAN implementation or by design it can't support other authentication mechanism OR please correct me if my understanding is wrong :-).
System Details:
Host OS: SL 6.1
OpenWSMAN: 2.2.0 (client version)
Thanks!
I found an explanation for above observation. On linux, OpenWSMAN uses OpenSSL for authentication connections, now OpenSSL on Linux supports "digest" and Windows machines does not. Windows supports Kerbos/GSSAPI which is not currently supported by OpenSSL.
Thanks!

How do I interact with a kerberos server from my own application

My network has a kerberos server for username/password authentication. Machines that run my application have functioning kerberos clients, so users can use kinit, etc.
How do I interact with the server programatically, from my own custom applications? The preferred language for an example is C.
I want users of my application to authenticate against a kerberos server before access to certain functions. I anticipate having to ask them for their username and password - kinit may not have been called.
The machines hosting the applications run OS X and Debian/Linux.
I believe the answer might well involve GSSAPI. If so, are there good tutorials for this?
Sun covers this in their book Solaris Security for Developers Guide. Specifically helpful to you will probably be Appendix A - Sample C-based GSSAPI programs and Chapter 5 - GSS-API Client Example.
Have a look at Heimdal, they have an extensive kerberos API, and the site below has a great doxygen install that describes the API.
http://www.h5l.org
GSSAPI is indeed the recommended approach, but the precise details will depend on your language environment and whether you need interop with Windows. Is your kerberos provider Windows or something else?
On Windows, Kerberos is a native protocol supported by the OS, and many high level Win32 APIs will effectively give you it for free. Making it interop with a non Windows kerberos server is possible but not trivial.
On UNIX, you may first need to install kerberos client support and get that working - but if your network already has a kerberos server, this may have been done for you already.
Windows includes an implementation of GSSAPI as does Java, and most UNIX flavors have an implementation. I believe GSSAPI addons are available for PHP also.
If you can add more specifics on your requirements I can firm this answer up a bit.