William said:
[...]
Get for example the book "Network Security with OpenSSL", Viega, Messier
& Chandra.
<OT>
The problem with this book is that it spends all of its time on the easy
stuff, and none of the hard stuff. I.e., you can figure out the BIO stuff on
your own, and the basics of the SSL and SSL_CTX API are almost self-evident
after examination of the small examples.
OP did ask for a tutorial.
Good points in the book, is for example explaining SSL session caching,
and it do contain some C code and explaining it. I have just peeked
through the more elementary SSL/PKI sections, from what I saw, it
provided a rather good introduction to the field. There are far worse
books out there on this, even in my own book shelf.
Conversely, the X.509 and ASN.1 interfaces are given short shrift--if any at
all--yet those are the interfaces most impenetrable without guidance. I
must've spent a man-week reading the sources, trying to piece together their
rhyme and reason (short answer: there isn't any; in some places there are at
least two opposing architectures smooshed together.)
Yes, I can add, OpenSSL isn't exactly known as a well-designed,
well-documented and easy-to-use C library.
Furthermore, if reviewing a pen-test report these days, don't be
surprised if OpenSSL figure on the top as a main threat for computer
break-ins.
It's made all the more frustrating because alternatives for SSL/TLS
networking libraries are available, but with C X.509 and ASN.1 are rarified
domains and you're more-or-less stuck with OpenSSL.
OpenSSL is hardly the only alternative around for C programmers, Peter
Gutmanns cryptlib, has been supporting SSL for some years now:
http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
cryptlib is cleaner implemented than OpenSSL, and comes with an
excellent API documentation too. One problem with it (except the license
issue), might be that it's rather a high-level, and it's difficult to
hook into the lower-level API's OpenSSL provide.
There are other open-source C toolkits too, after a quick google search,
I came up with:
http://www.matrixssl.org/
http://www.gnu.org/software/gnutls/server.html
Furthermore, RSA still provide their industrial strength BSAFE library:
http://www.rsa.com/node.aspx?id=1204
http://www.rsa.com/node.aspx?id=2977