Simple client/server, TCP/IP encrypting the message stream, SSL (C++)

Question

Hi,

Basically my question is the exact same one as this:

http://stackoverflow.com/questions/937459/simple-client-server-tcp-ip-encrypting-the-message-stream-ssl

The difference is that I need this for pure C++, not .NET. I cannot use 3rd party libraries, so unless it's a Windows system component (like the above) I need something with source so I can get the generel idea and build it myself.

Thanks :)

Quoting the other question for reference:

"Writing a little TCP/IP client server app. Basically it creates a server, and then you can create several different clients and set up a bit of a chat session. What I am wondering is there is any way to incorporate, using standard .net libraries some form of encryption?

m_mainSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);

Is there any way of speficying tcp using rsa?

Or would you (me that is) have to write some custom libaries to do key exchange and then encrypt the subsequent chat messages? I have done that before for uni but that was in java but I know it would'nt be hard to convert them. Just trying not to have to reinvent the wheel...

Or what about utilising a ssl?

Thanks, Ron."

Answer 1

You can always look at OpenSSL which is open source, but that would be like implement SSL yourself. I would suggest wrapping OpenSSL and use it. Or use the SSL tunnel application available in OpenSSL.

Answer 2

Have you considered using the ASIO library? think-async dot com/Asio/

There is an example specifically for an SSL based client/server. http://think-async.com/Asio/asio-1.4.1/doc/asio/examples.html#asio.examples.ssl

Its as "pure c++" as you can get.

Answer 3

Writing your own encryption code is "not recommended". It's easy enough to make a simple mistake when using one of these libraries, let alone when you try to write one yourself.

What you really want to use is OpenSSL with Boost.ASIO on top of it. If you can't do that then your next best alternative is to use the Internet Explorer COM object. This isn't quite as flexible, but might work out fine depending on what your exact needs are. You can also explore the Win32 API. Last I looked there weren't enough crypto APIs widely available to do this. The final way of dealing with this is to wrap the .NET APIs so that you can make use of them from native C++.

Only if none of that works out for you should you even consider writing this yourself. You will make mistakes and your application will be less secure as a result. So, before you start trying to write your own crypto code you could also try to look at tunnelling SOCKS over SSH and use somebody else's SSH implementation. The next thing I would look at is to buy in the code rather than write it yourself. The code won't be as good as open source offerings as it will be less used so will have more security problems, but it will still be better than anything you would write on your first outing doing this.

Only if you've exhausted all of these options should you think about writing this yourself. Once you think about it you should try all of the other options again to make sure that you didn't miss getting one of them to work for you the first time around.

If you do still write your own implementation then throw it away and use one of the other options before putting it into production use as there will be mistakes that compromise the security to the extent where you probably may as well not have bothered.

Sorry to sound down on all of this, but getting these things right is really hard and not something you can do by just taking a quick look at somebody else's implementation.