> From: owner-openssl-us...@openssl.org On Behalf Of ml
> Sent: Wednesday, 20 June, 2012 21:34
> when using ssl V2 it is possible to run code in a few lines I quote
>
> #define CHK_NULL(x) do { if ((x)==NULL) exit (1); } while(0)
> #define CHK_ERR(err,s) if ((err)==-1) { perror(s);
> exit(1); }
> #define CHK_SSL(err) if ((err)==-1) {
> ERR_print_errors_fp(stderr); exit(2); }
> ssl = SSL_new(ctx);
> CHK_NULL(ssl);
> SSL_set_fd (ssl, sockfd);
> err = SSL_connect(ssl);
> CHK_SSL(err);
> //send data
This semi-random spacing and indentation is hard to read.
You can't have the above statements at "global" (file) scope
and you can't have the below functions anywhere but file scope.
> void send_line(SSL* ssl,char* cmd)
> {
> int err;
> err = SSL_write (ssl, cmd, strlen(cmd));
> CHK_SSL(err);
> }
>
> //receive data
> void recv_line(SSL* ssl)
> {
> char rbuf[1500] = {0};
> int err;
> err = SSL_read (ssl, rbuf, sizeof(rbuf) - 1);
> CHK_SSL(err);
> printf("%s\n", rbuf);
> }
>
What that receives isn't necessarily a line; it's whatever
the peer chose to put in a record up to 1499 bytes. It could
be a line, or 50 lines, or one-tenth of a (long) line.
> So you can run a client in a few dozen lines
> when using ssl really one is obliged to give all the sequences is it
> possible to remove some of the code
>
> exemple my code
> https://github.com/fakessh/openprojectssl/blob/master/smtp_openssl.c
>
> - - open c socket
> - - init ssl library -> ssl_librabry_init()
> - - to establish ssl context -> sslContext = SSL_CTX_new(
> SSLv3_client_method() )
This is equally required for SSLv2 but with different method.
> - - to assign and manage CERTs ## can not use
> -> x509store = SSL_CTX_get_cert_store( sslContext )
> -> X509_STORE_add_cert(x509store, x509CACert)
> -> ...
I assume you mean "can not use" as "optionally use or not use".
In English "cannot <x>" or "can't <x>" usually means <x> is
impossible or prohibited, and that's definitely untrue here.
"cannot x" is "not (can_do x)" not "can (not_do x)". Yes
this isn't exactly logical; natural language isn't formal.
The usual programming jargon for what I believe you mean
is "required" or "mandatory" and "optional".
The local truststore 'cert_store' can instead (usually easier)
be set by _load_verify_locations or _set_default_verify_paths .
If you don't do any of these, OpenSSL client will be unable
to verify any server cert, and if you ignore the verify error(s)
you may be at risk of having your communications diverted
and broken by an attacker. Since people usually use SSL
to get security this is usually undesirable. This is the
same in SSLv3 (and TLS) as v2; if you didn't do it for v2
you weren't secure (plus v2 reportedly had other issues).
> - - to use a CERTs -> SSL_CTX_use_certificate( sslContext, x509Cert )
> ##can not use
> - - to use RSA key -> SSL_CTX_use_RSAPrivateKey( slContext,
> rsaPrivPRIVKEY ) ##can not use
> - - to check CERTs -> SSL_CTX_check_private_key( sslContext )
> ##can not
> use
If you use client authentication, the client must do both
use_certificate and use_{RSA,}PrivateKey . If you don't use
client auth, you don't need either of these. Client auth
is fairly rare, but if a server demands it you must do it.
_check_private_key is useless; _use_cert and _use_privkey
already cross-check. I believe client-auth was new in v3.
> - - to establish SSL HANDLE -> sslHandle = SSL_new( sslContext )
> - - to asign c socket to the handler -> SSL_set_fd( sslHandle, socket)
> - - and finally, to establish the ssl connection ->
> SSL_connect( sslHandle )
>
>
> it would be possible to create a connection in a few lines what would
> be the example to make it simple to see from home as easy as
> with SSL v2
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
