I would just like to have the same security as somebody connecting to a https server(certificate does not need to be a trusted one). I cannot use any client keys or certs. I know that i have to present my server certificate to the client and then the client decides whether or not to connect to the server. I know that the server basically validates nothing about the client but just presents its certificate and the user decides if he/she wishes to connect to the server. I know that if i get a trusted certificate from some company like verisign and use that, that it could be more secure but at the moment i think that is not an option.Is it possible to make these programs more secure and how?.
server output is:
[EMAIL PROTECTED]/server
SSL connection opened
client output is:
[EMAIL PROTECTED]/client
Subject-CN: 192.13.19.25
Issuer-CN: Server
CA
Issuer Country: US
Issuer Organisation: My company
Do you wish to have a secure connection with this server[y:n]y
Issuer Country: US
Issuer Organisation: My company
Do you wish to have a secure connection with this server[y:n]y
SSL Connection opened
The c programs are the following........
/******************************************** client.c*******************************************/
#include "common.h"
SSL_CTX* InitCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
SSL_CTX* InitCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
method = SSLv2_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
SSL_load_error_strings(); /* Bring in and register error messages */
method = SSLv2_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
int do_client_loop(SSL *ssl)
{
int err, nwritten;
char buf[80];
for (;;)
{
if (!fgets(buf, sizeof(buf), stdin))
break;
for (nwritten = 0; nwritten < sizeof(buf); nwritten += err)
{
err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten);
if (err <= 0)
return 0;
}
}
return 1;
}
void ShowCerts(SSL* ssl)
{ X509 *cert;
{
int err, nwritten;
char buf[80];
for (;;)
{
if (!fgets(buf, sizeof(buf), stdin))
break;
for (nwritten = 0; nwritten < sizeof(buf); nwritten += err)
{
err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten);
if (err <= 0)
return 0;
}
}
return 1;
}
void ShowCerts(SSL* ssl)
{ X509 *cert;
char buf[100];
/* get the server's certificate */
cert = SSL_get_peer_certificate(ssl);
if ( cert != NULL )
{
/* issuer */
X509_NAME_get_text_by_NID(cert->cert_info->subject, NID_commonName, buf,sizeof(buf));
printf(" Subject-CN: %s\n", buf);
X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_commonName, buf,sizeof(buf));
printf(" Issuer-CN: %s\n", buf);
X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_countryName, buf,sizeof(buf));
printf(" Issuer Country: %s\n", buf);
X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_organizationName, buf,sizeof(buf));
printf(" Issuer Organisation: %s\n", buf);
}
else
printf("No certificates.\n");
}
int main(int argc, char *argv[])
{
BIO *conn;
SSL *ssl;
SSL_CTX *ctx;
char input;
cert = SSL_get_peer_certificate(ssl);
if ( cert != NULL )
{
/* issuer */
X509_NAME_get_text_by_NID(cert->cert_info->subject, NID_commonName, buf,sizeof(buf));
printf(" Subject-CN: %s\n", buf);
X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_commonName, buf,sizeof(buf));
printf(" Issuer-CN: %s\n", buf);
X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_countryName, buf,sizeof(buf));
printf(" Issuer Country: %s\n", buf);
X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_organizationName, buf,sizeof(buf));
printf(" Issuer Organisation: %s\n", buf);
}
else
printf("No certificates.\n");
}
int main(int argc, char *argv[])
{
BIO *conn;
SSL *ssl;
SSL_CTX *ctx;
char input;
init_OpenSSL( );
seed_prng( );
ctx = InitCTX();
conn = BIO_new_connect(SERVER ":" PORT);
if (!conn)
int_error("Error creating connection BIO");
if (BIO_do_connect(conn) <= 0)
int_error("Error connecting to remote machine");
ssl = SSL_new(ctx);
SSL_set_bio(ssl, conn, conn);
if (SSL_connect(ssl) <= 0)
int_error("Error connecting SSL object");
ShowCerts(ssl);
printf("Do you wish to have a secure connection with this server[y:n]:");
scanf("%s", &input);
//Isconnect = (char*)input;
if (!strncmp(input, "n",1)){
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
fprintf(stderr, "SSL Connection opened\n");
if (do_client_loop(ssl))
SSL_shutdown(ssl);
else
SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
/******************************************** server.c*******************************************/
#include "common.h"
#define CERTFILE "server.pem"
#define CAFILE "rootcert.pem"
#define CADIR NULL
SSL_CTX *setup_server_ctx(void)
{
SSL_CTX *ctx;
#define CERTFILE "server.pem"
#define CAFILE "rootcert.pem"
#define CADIR NULL
SSL_CTX *setup_server_ctx(void)
{
SSL_CTX *ctx;
ctx = SSL_CTX_new(SSLv23_method( ));
if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
int_error("Error loading CA file and/or directory");
if (SSL_CTX_set_default_verify_paths(ctx) != 1)
int_error("Error loading default CA file and/or directory");
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
int_error("Error loading certificate from file");
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
int_error("Error loading private key from file");
return ctx;
}
if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
int_error("Error loading CA file and/or directory");
if (SSL_CTX_set_default_verify_paths(ctx) != 1)
int_error("Error loading default CA file and/or directory");
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
int_error("Error loading certificate from file");
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
int_error("Error loading private key from file");
return ctx;
}
int do_server_loop(SSL *ssl)
{
int err, nread;
char buf[80];
do
{
for (nread = 0; nread < sizeof(buf); nread += err)
{
err = SSL_read(ssl, buf + nread, sizeof(buf) - nread);
if (err <= 0)
break;
}
fprintf(stdout, "%s", buf);
}
while (err > 0);
return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0;
}
void THREAD_CC server_thread(void *arg)
{
SSL *ssl = (SSL *)arg;
{
int err, nread;
char buf[80];
do
{
for (nread = 0; nread < sizeof(buf); nread += err)
{
err = SSL_read(ssl, buf + nread, sizeof(buf) - nread);
if (err <= 0)
break;
}
fprintf(stdout, "%s", buf);
}
while (err > 0);
return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0;
}
void THREAD_CC server_thread(void *arg)
{
SSL *ssl = (SSL *)arg;
#ifndef WIN32
pthread_detach(pthread_self( ));
#endif
if (SSL_accept(ssl) <= 0)
int_error("Error accepting SSL connection");
fprintf(stderr, "SSL Connection opened\n");
if (do_server_loop(ssl))
SSL_shutdown(ssl);
else
SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
pthread_detach(pthread_self( ));
#endif
if (SSL_accept(ssl) <= 0)
int_error("Error accepting SSL connection");
fprintf(stderr, "SSL Connection opened\n");
if (do_server_loop(ssl))
SSL_shutdown(ssl);
else
SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
ERR_remove_state(0);
#ifdef WIN32
_endthread( );
#endif
}
int main(int argc, char *argv[])
{
BIO *acc, *client;
SSL *ssl;
SSL_CTX *ctx;
THREAD_TYPE tid;
init_OpenSSL( );
seed_prng( );
_endthread( );
#endif
}
int main(int argc, char *argv[])
{
BIO *acc, *client;
SSL *ssl;
SSL_CTX *ctx;
THREAD_TYPE tid;
init_OpenSSL( );
seed_prng( );
ctx = setup_server_ctx( );
acc = BIO_new_accept(PORT);
if (!acc)
int_error("Error creating server socket");
if (BIO_do_accept(acc) <= 0)
int_error("Error binding server socket");
for (;;)
{
if (BIO_do_accept(acc) <= 0)
int_error("Error accepting connection");
client = BIO_pop(acc);
if (!(ssl = SSL_new(ctx)))
int_error("Error creating SSL context");
if (!acc)
int_error("Error creating server socket");
if (BIO_do_accept(acc) <= 0)
int_error("Error binding server socket");
for (;;)
{
if (BIO_do_accept(acc) <= 0)
int_error("Error accepting connection");
client = BIO_pop(acc);
if (!(ssl = SSL_new(ctx)))
int_error("Error creating SSL context");
SSL_set_bio(ssl, client, client);
THREAD_CREATE(tid, (void *)server_thread, ssl);
}
SSL_CTX_free(ctx);
BIO_free(acc);
return 0;
}
THREAD_CREATE(tid, (void *)server_thread, ssl);
}
SSL_CTX_free(ctx);
BIO_free(acc);
return 0;
}
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
