tags:

views:

55

answers:

4
+1  Q: 

Secure data transfer over http with custom server

hi

I am pretty new to security aspect of application. I have a C++ window service (server) that listens to a particular port for http requests. The http requests can be made via ajax or C# client. Due to some scope change now we have to secure this communication between the clients and custom server written in C++.

Therefore i am looking for options to secure this communication. Can someone help me out with the possible approaches i can take to achieve this.

Thanks Dpak

A: 

Use HTTPS.

Assaf Lavie  2010-07-03 07:08:24
can i implement https on my custom server. If thats possible can you provide me pointers to how can i achieve it.
deepak  2010-07-03 07:10:50
You mean you're writing your own server from scratch using tcp/ip? Why? I would suggest you build on an existing server, like Apache or IIS. In any case, there are many communications libraries out there that can do https for you if you google it.
Assaf Lavie  2010-07-03 07:12:42
i have a legacy application that has its own server and listens to http request carrying xml strings. Can be compared with SOAP messages over http to IIS. I have to make changes to this legacy app for secure transfers.
deepak  2010-07-03 07:19:50
A: 

Given that you have an existing HTTP server (non-IIS) and you want to implement HTTPS (which is easy to screw up and hard to get right), you have a couple of options:

  1. Rewrite your server as a COM object, and then put together an IIS webservice that calls your COM object to implement the webservice. With this done, you can then configure IIS to provide your webservice via HTTP and HTTPS.

  2. Install a proxy server (Internet Security and Acceleration Server or Apache with mod_proxy) on the same host as your existing server and setup the proxy server to listen via HTTPS and then reverse proxy the requests to your service.

The second option requires little to no changes to your application; the first option is the better long-term architectural move.

Craig Trader  2010-07-03 08:09:55
A: 

A good toolkit for securing your communication channel is OpenSSL.

That said, even with a toolkit, there are plenty of ways to make mistakes when implementing your security layer that can leave your data open to attack. You should consider using an existing https server and having it forward the requests to your server on the loopback channel.

R Samuel Klatchko  2010-07-03 08:18:37
A: 

It's reasonably easy to do this using either OpenSSL or Microsoft's SChannel SSPI interface.

How complex it is for you depends on how you've structured your server. If it's a traditional style BSD sockets 'select' type server then it should be fairly straight forward to take the examples from either OpenSSL or SChannel and get something working pretty quickly.

If you're using a more complex server design (async sockets, IOCP, etc) then it's a bit more work as the examples don't tend to show these things. I wrote an article for Windows Developer Magazine back in 2002 which is available here which shows how to use OpenSSL with async sockets and this code can be used to work with overlapped I/O and IOCP based servers if you need to.

Len Holgate  2010-07-03 10:07:54

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS