https and openssl

[opexoc]

Hello,

I wonder about build some program which would use https protocol to
communicate with web server. I am able to write program to do this by
http already. Google told me that openssl library can help me do this.
Although, documentation of this project is not enough for me to write
such application. So I ask you if you know some tutorial which would
help me with this problem?

Wiktor

 

[William Ahern]

Hello,

I wonder about build some program which would use https protocol to
communicate with web server. I am able to write program to do this by
http already. Google told me that openssl library can help me do this.
Although, documentation of this project is not enough for me to write
such application. So I ask you if you know some tutorial which would
help me with this problem?

Use the source. There are examples in the OpenSSL source tree more than
sufficient to acquaint you with the API.

Also, use another newsgroup, as HTTP and OpenSSL is off-topic.

 

[Tor Rustad]

Hello,

I wonder about build some program which would use https protocol to
communicate with web server. I am able to write program to do this by
http already. Google told me that openssl library can help me do this.
Although, documentation of this project is not enough for me to write
such application. So I ask you if you know some tutorial which would
help me with this problem?

Get for example the book "Network Security with OpenSSL", Viega, Messier
& Chandra.


The author of the mod_ssl in Apache: Viega.

 

[William Ahern]

Get for example the book "Network Security with OpenSSL", Viega, Messier
& Chandra.

<OT>

The problem with this book is that it spends all of its time on the easy
stuff, and none of the hard stuff. I.e., you can figure out the BIO stuff on
your own, and the basics of the SSL and SSL_CTX API are almost self-evident
after examination of the small examples.

Conversely, the X.509 and ASN.1 interfaces are given short shrift--if any at
all--yet those are the interfaces most impenetrable without guidance. I
must've spent a man-week reading the sources, trying to piece together their
rhyme and reason (short answer: there isn't any; in some places there are at
least two opposing architectures smooshed together.)

It's made all the more frustrating because alternatives for SSL/TLS
networking libraries are available, but with C X.509 and ASN.1 are rarified
domains and you're more-or-less stuck with OpenSSL.

The author of the mod_ssl in Apache: Viega.

 

[Friedrich Dominicus]

The problem with this book is that it spends all of its time on the easy
stuff, and none of the hard stuff. I.e., you can figure out the BIO stuff on
your own, and the basics of the SSL and SSL_CTX API are almost self-evident
after examination of the small examples.

that unfortunatly all too true...

Conversely, the X.509 and ASN.1 interfaces are given short shrift--if any at
all--yet those are the interfaces most impenetrable without guidance. I
must've spent a man-week reading the sources, trying to piece together their
rhyme and reason (short answer: there isn't any; in some places there are at
least two opposing architectures smooshed together.)

It's made all the more frustrating because alternatives for SSL/TLS
networking libraries are available, but with C X.509 and ASN.1 are rarified
domains and you're more-or-less stuck with OpenSSL.

Links?

Regards
Friedrich

 

[Tor Rustad]

[...]

Get for example the book "Network Security with OpenSSL", Viega, Messier
& Chandra.

<OT>

The problem with this book is that it spends all of its time on the easy
stuff, and none of the hard stuff. I.e., you can figure out the BIO stuff on
your own, and the basics of the SSL and SSL_CTX API are almost self-evident
after examination of the small examples.

OP did ask for a tutorial.

Good points in the book, is for example explaining SSL session caching,
and it do contain some C code and explaining it. I have just peeked
through the more elementary SSL/PKI sections, from what I saw, it
provided a rather good introduction to the field. There are far worse
books out there on this, even in my own book shelf.

Conversely, the X.509 and ASN.1 interfaces are given short shrift--if any at
all--yet those are the interfaces most impenetrable without guidance. I
must've spent a man-week reading the sources, trying to piece together their
rhyme and reason (short answer: there isn't any; in some places there are at
least two opposing architectures smooshed together.)

Yes, I can add, OpenSSL isn't exactly known as a well-designed,
well-documented and easy-to-use C library.

Furthermore, if reviewing a pen-test report these days, don't be
surprised if OpenSSL figure on the top as a main threat for computer
break-ins.

It's made all the more frustrating because alternatives for SSL/TLS
networking libraries are available, but with C X.509 and ASN.1 are rarified
domains and you're more-or-less stuck with OpenSSL.

OpenSSL is hardly the only alternative around for C programmers, Peter
Gutmanns cryptlib, has been supporting SSL for some years now:

http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

cryptlib is cleaner implemented than OpenSSL, and comes with an
excellent API documentation too. One problem with it (except the license
issue), might be that it's rather a high-level, and it's difficult to
hook into the lower-level API's OpenSSL provide.

There are other open-source C toolkits too, after a quick google search,
I came up with:

http://www.matrixssl.org/
http://www.gnu.org/software/gnutls/server.html


Furthermore, RSA still provide their industrial strength BSAFE library:

http://www.rsa.com/node.aspx?id=1204
http://www.rsa.com/node.aspx?id=2977

 

[opexoc]

Yes, I can add, OpenSSL isn't exactly known as a well-designed,
well-documented and easy-to-use C library.

Ok. Thanks everyone for interesting.

Wiktor