tags:

views:

453

answers:

3
+1  Q: 

Implementing SSL

Hi All,

I have been tasked with implementing TLS/SSL onto an in-house webserver framework. I was wondering if anyone could point me to some good example code that they know of?

I am particularly interested in using GSS API (Microsoft's Security Support Provider Interface (SSPI)). Failing that, Crypto++, I can't use any other type of open source library.

Many Thanks!

EDIT: To clarify: Crypto++ is the only open source library I can use. Not my restriction, but one I have to comply with.

EDIT2: Just to add, I am coding in C++

+1  A: 

You honestly can't use OpenSSL? Is this a FIPS issue? If so, OpenSSL's FIPS 140-2 module 1.2 is available as of November of 2008.

UPDATE: If OpenSSL can't be used as a library, you can still read the source to learn. Depending on the strictness of your requirements, you may need to do this cleanroom-style.

UPDATE 2: Here's the latest (I think) TLS spec. Using this in conjunction with the OpenSSL source should help you figure out how to do the negotiation, etc. You can then use Crypto++ to perform the actual crypto you've negotiated. I'd still suggest trying to avoid implementing this by hand if you can possibly get OpenSSL OK'd. Without knowing why it was outlawed in the first place, I can't help you with that, though.

Hank Gay  2009-01-12 10:01:02
Open SSL is more trouble than its worth. A simple well writen example using SSPI should not be that hard to find!
Mike Trader  2010-01-09 01:41:58
+1  A: 

I was hoping to use an off-the-shelf library or API (like the examples mentioned) rather than reverse engineer a whole library.

Konrad  2009-01-12 10:44:42
You explicitly told us you *can't* use an off-the-shelf library, except Crypto++. Since that doesn't do SSL, (although it could probably be used to implement the actual crypto part), I don't see how a library helps you. Here's the TLS spec, btw: http://tools.ietf.org/html/rfc5246
Hank Gay  2009-01-12 10:54:08
Ok, so what about GSS SSPI ? Any ideas there?
Konrad  2009-01-12 11:03:09
Sorry - I haven't lived in MS-land in years.
Hank Gay  2009-01-12 11:09:21
A: 

If you're exclusively on Windows, SSPI provides support for SSL as well as other security protocols. It essentially provides you with the tokens you need to send between client and server to establish the secure connection, and thereafter enables encryption of data. This article gives an overview, but you should refer to the MS docs.

Not sure if there is an equivalent for other platforms. There is GSSAPI, which is similar to SSPI, however I'm not aware of SSL implementations underneath that (usually it's used for access to Kerberos). Not saying they don't exist, I've just not come across them.

frankodwyer  2009-01-12 12:49:41
Thanks, I have already seen this code snippet. It is mostly managed code (or C#), I was after C++. Should have mentioned that before.
Konrad  2009-01-12 13:53:21
The API and approach is similar regardless of the language binding. There are loads of SSPI examples out there to illustrate the C++ peculariaties of invoking the API.
frankodwyer  2009-01-12 14:51:00
Well could you point me the direction of some? The bits I have seen thus far are either of a poor standard or are proof of concepts, nothing else.
Konrad  2009-01-12 16:27:00
Exaclty, please link these tons of examples in C/C++...
Mike Trader  2010-01-09 01:40:51

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL