Featured Post

Trie implementation in C

Secure Server Client using OpenSSL in C


Overview of the SSL handshake




Steps involved in SSL handshake(Courtesy:http://www.pierobon.org):

  1. The client sends the server the client's SSL version number, cipher settings, randomly generated data, and other information the server needs to communicate with the client using SSL.
  2. The server sends the client the server's SSL version number, cipher settings, randomly generated data, and other information the client needs to communicate with the server over SSL. The server also sends its own digital certificate and, if the client is requesting a server resource that requires client authentication, requests the client's digital certificate.
  3. The client uses the information sent by the server to authenticate the server. If the server cannot be authenticated, the user is warned of the problem that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds.
  4. Using all data generated in the handshake so far, the client creates the premaster secret for the session, encrypts it with the server's public key (obtained from the server's digital certificate), and sends the encrypted premaster secret to the server.
  5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case the client sends both the signed data and the client's own digital certificate to the server along with the encrypted premaster secret.
  6. If the server has requested client authentication, the server attempts to authenticate the client. If the client cannot be authenticated, the session is terminated. If the client can be successfully authenticated, the server uses its private key to decrypt the premaster secret, then performs a series of steps which the client also performs, starting from the same premaster secret to generate the master secret.
  7. Both the client and the server use the master secret to generate session keys which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity.
  8. The client informs the server that future messages from the client will be encrypted with the session key. It then sends a separate encrypted message indicating that the client portion of the handshake is finished.
  9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate encrypted message indicating that the server portion of the handshake is finished.
  10. The SSL handshake is now complete, and the SSL session has begun. The client and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its integrity.




Here's an implementation of Secure Server Client using openssl.

It is a piece of code taken from http://www.cs.utah.edu/~swalton/listings/sockets/programs

Of course you need to have OpenSSL installed in your system first. You can download latest OpenSSL package at OpenSSL Source

Before running this program you will need a Certificate which is used in this program. You can generate your own certificate using this command

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem


, where mycert.pem is the name of the Certificate file.

To run the Server
Compile : gcc -Wall -o ssl-server SSL-Server.c -L/usr/lib -lssl -lcrypto
Run : sudo ./ssl-server <portnum> 

To run the Client
Compile : gcc -Wall -o ssl-client SSL-Client.c -L/usr/lib -lssl -lcrypto
Run : ./ssl-client <hostname> <portnum> 


Note: The code and the compilation process are updated for TLSv1.2 recently. To install openssl libraries in Ubuntu use sudo apt-get install libssl-dev


To see the SSL handshake - Use ssldump tool 


//SSL-Server.c
#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <resolv.h>
#include "openssl/ssl.h"
#include "openssl/err.h"

#define FAIL    -1

int OpenListener(int port)
{   int sd;
    struct sockaddr_in addr;

    sd = socket(PF_INET, SOCK_STREAM, 0);
    bzero(&addr, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = INADDR_ANY;
    if ( bind(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
    {
        perror("can't bind port");
        abort();
    }
    if ( listen(sd, 10) != 0 )
    {
        perror("Can't configure listening port");
        abort();
    }
    return sd;
}

int isRoot()
{
    if (getuid() != 0)
    {
        return 0;
    }
    else
    {
        return 1;
    }

}
SSL_CTX* InitServerCTX(void)
{   SSL_METHOD *method;
    SSL_CTX *ctx;

    OpenSSL_add_all_algorithms();  /* load & register all cryptos, etc. */
    SSL_load_error_strings();   /* load all error messages */
    method = TLSv1_2_server_method();  /* create new server-method instance */
    ctx = SSL_CTX_new(method);   /* create new context from method */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}

void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
    /* set the local certificate from CertFile */
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
}

void ShowCerts(SSL* ssl)
{   X509 *cert;
    char *line;

    cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        free(line);
        X509_free(cert);
    }
    else
        printf("No certificates.\n");
}

void Servlet(SSL* ssl) /* Serve the connection -- threadable */
{   char buf[1024];
    char reply[1024];
    int sd, bytes;
    const char* HTMLecho="<html><body><pre>%s</pre></body></html>\n\n";

    if ( SSL_accept(ssl) == FAIL )     /* do SSL-protocol accept */
        ERR_print_errors_fp(stderr);
    else
    {
        ShowCerts(ssl);        /* get any certificates */
        bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
        if ( bytes > 0 )
        {
            buf[bytes] = 0;
            printf("Client msg: \"%s\"\n", buf);
            sprintf(reply, HTMLecho, buf);   /* construct reply */
            SSL_write(ssl, reply, strlen(reply)); /* send reply */
        }
        else
            ERR_print_errors_fp(stderr);
    }
    sd = SSL_get_fd(ssl);       /* get socket connection */
    SSL_free(ssl);         /* release SSL state */
    close(sd);          /* close connection */
}

int main(int count, char *strings[])
{   SSL_CTX *ctx;
    int server;
    char *portnum;

    if(!isRoot())
    {
        printf("This program must be run as root/sudo user!!");
        exit(0);
    }
    if ( count != 2 )
    {
        printf("Usage: %s <portnum>\n", strings[0]);
        exit(0);
    }
    SSL_library_init();

    portnum = strings[1];
    ctx = InitServerCTX();        /* initialize SSL */
    LoadCertificates(ctx, "mycert.pem", "mycert.pem"); /* load certs */
    server = OpenListener(atoi(portnum));    /* create server socket */
    while (1)
    {   struct sockaddr_in addr;
        socklen_t len = sizeof(addr);
        SSL *ssl;

        int client = accept(server, (struct sockaddr*)&addr, &len);  /* accept connection as usual */
        printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
        ssl = SSL_new(ctx);              /* get new SSL state with context */
        SSL_set_fd(ssl, client);      /* set connection socket to SSL state */
        Servlet(ssl);         /* service connection */
    }
    close(server);          /* close server socket */
    SSL_CTX_free(ctx);         /* release context */
}


//SSL-Client.c
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <sys/socket.h>
#include <resolv.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

#define FAIL    -1

int OpenConnection(const char *hostname, int port)
{   int sd;
    struct hostent *host;
    struct sockaddr_in addr;

    if ( (host = gethostbyname(hostname)) == NULL )
    {
        perror(hostname);
        abort();
    }
    sd = socket(PF_INET, SOCK_STREAM, 0);
    bzero(&addr, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = *(long*)(host->h_addr);
    if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
    {
        close(sd);
        perror(hostname);
        abort();
    }
    return sd;
}

SSL_CTX* InitCTX(void)
{   SSL_METHOD *method;
    SSL_CTX *ctx;

    OpenSSL_add_all_algorithms();  /* Load cryptos, et.al. */
    SSL_load_error_strings();   /* Bring in and register error messages */
    method = TLSv1_2_client_method();  /* Create new client-method instance */
    ctx = SSL_CTX_new(method);   /* Create new context */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}

void ShowCerts(SSL* ssl)
{   X509 *cert;
    char *line;

    cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);       /* free the malloc'ed string */
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        free(line);       /* free the malloc'ed string */
        X509_free(cert);     /* free the malloc'ed certificate copy */
    }
    else
        printf("Info: No client certificates configured.\n");
}

int main(int count, char *strings[])
{   SSL_CTX *ctx;
    int server;
    SSL *ssl;
    char buf[1024];
    int bytes;
    char *hostname, *portnum;

    if ( count != 3 )
    {
        printf("usage: %s <hostname> <portnum>\n", strings[0]);
        exit(0);
    }
    SSL_library_init();
    hostname=strings[1];
    portnum=strings[2];

    ctx = InitCTX();
    server = OpenConnection(hostname, atoi(portnum));
    ssl = SSL_new(ctx);      /* create new SSL connection state */
    SSL_set_fd(ssl, server);    /* attach the socket descriptor */
    if ( SSL_connect(ssl) == FAIL )   /* perform the connection */
        ERR_print_errors_fp(stderr);
    else
    {   char *msg = "Hello???";

        printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
        ShowCerts(ssl);        /* get any certs */
        SSL_write(ssl, msg, strlen(msg));   /* encrypt & send message */
        bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
        buf[bytes] = 0;
        printf("Received: \"%s\"\n", buf);
        SSL_free(ssl);        /* release connection state */
    }
    close(server);         /* close socket */
    SSL_CTX_free(ctx);        /* release context */
    return 0;
}

Update: The code is updated to use more secure TLS v1.2 methods . To compile and use this code, please make sure you have latest OpenSSL which support TLS v1.2

Comments

  1. Replies
    1. It might be possible since it is not a production level code and i have not checked yet. I'll go through and update the necessary blocks

      Delete
    2. I checked with valgrind, there seem to be no memory leaks. Could you point where in code are you having issues ?

      Delete
    3. I don't see any memory leaks either

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Hi,

      Had you created the certificates as mentioned in the post? Also please check if the server is listening on the port number you mentioned in the command line.
      You can use following command to check if the server is listening

      netstat -apnc |grep

      The code provided above is fully functional and tested code. It will run in the present form as such.

      Thanks,
      Varun

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. which algorithm is used for encryption in this code???

    ReplyDelete
    Replies
    1. For the certificates , RSA has been used for X.509 certificate generation

      Delete
  5. Hi, I'm new in OpenSSL.
    I tried to compile your code, but why do I keep getting error like:
    Cannot open include file: 'unistd.h': No such file or directory
    Cannot open include file: 'arpa/inet.h': No such file or directory
    Cannot open include file: 'sys/socket.h': No such file or directory
    Cannot open include file: 'netinet/in.h': No such file or directory
    Cannot open include file: 'resolv.h': No such file or directory

    I'm using openssl-1.0.1b and Visual Studio 2008.

    ReplyDelete
    Replies
    1. Hi,

      This code is meant only for linux based systems. You'll have to port it for windows based systems. Try to replace system calls for windows.

      Delete
    2. it works on netbsd too !

      Delete
  6. Hi Varun,

    I have tested this code already in Ubuntu 10.04 machine. It worked fine then. But, now I am using Ubuntu 12.04. Compiling this code gives me the errors "undefined reference to SSLv2_client_method" and "undefined reference to SSLv2_server_method". Please help me in fixing the issues.

    ReplyDelete
    Replies
    1. Hi Vaishnavi,

      I think the reason for that would be that Ubuntu 12.04 may not be supporting SSLv2. Try installing those on Ubuntu 12.04 or use the latest SSL api which I guess is SSLv3.

      Delete
    2. Hi,pls help me how work this code in ubuntu 12.04?

      Delete
    3. Hi Varun Gupta pls help me
      How work this code in Ubuntu 12.04

      Delete
    4. This shit is the reason why the Linux Standard Base decided to use NSSL (Netscape secure socket layer) library as default and not OpenSSL. Too many bugs and instable API, especially ABI.

      Delete
  7. Thanks Varun. I have done that and it works. Could you please clarify my doubt? I have not gone through the code completely and hence I have this doubt. Once the connection is established, will all the messages transmitted thereafter be encrypted on the sending side and decrypted on the receiving side? I would like to know this just to confirm the security of data.

    ReplyDelete
    Replies
    1. Yes after the SSL handshake is complete, all the messages after that will be secured. That's the reason due to which client and server exchange secret keys. The keys are used to encrypt and decrypt the messages on both sides.

      Delete
  8. Hello Varun Gupta,
    Thanks for the code, it works fine. I just wanted to know, just SSL_read or write encrypt the data? Also is there way I can send client certificate to server.

    ReplyDelete
    Replies
    1. Yes SSL_write encrypts the data and SSL_read decrypts it using the certificates.
      The certificates are generally installed from a common source such as Trusted CA. Both client and server get it from there. Otherwise you have to install it manually.

      Delete
  9. How to do SSL web server in C ? Next time pls teach me?

    ReplyDelete
  10. Hi,
    I tried compile your code in Ubuntu 12.04.Displays this error:
    /tmp/cc4e1mRP.o: In function `InitServerCTX':
    undefined reference to `OPENSSL_add_all_algorithms_noconf'
    undefined reference to `SSL_load_error_strings'
    undefined reference to `SSLv2_server_method'
    undefined reference to `SSL_CTX_new'
    undefined reference to `ERR_print_errors_fp'

    ReplyDelete
    Replies
    1. Please refer to the solution above. In Ubuntu 12.04, the support of SSLv2 has been removed and SSLv3 in introduced. So you'll have to replace your SSLv2 functions by SSLv3 functions or you can install SSLv2 library as well.

      You can follow these links for the latter case :
      http://blog.geektirade.com/2012/10/sslv2-for-ubuntu-1204.html
      http://www.hackwhackandsmack.com/?p=46

      Delete
  11. very nice example , but I changed the OpenConnection function

    int OpenConnection( char *hostname, int port)
    { struct timeval timeout;
    struct sockaddr_in serv_addr;
    int sslSocket;

    sslSocket = socket(AF_INET, SOCK_STREAM, 0);
    if (sslSocket < 0)
    {
    Debug("ERROR opening socket");
    return -1;
    }
    memset(&serv_addr,0, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(port);
    serv_addr.sin_addr.s_addr = inet_addr(hostname);

    timeout.tv_sec = 2; //connection time out and read write timeout
    timeout.tv_usec = 0;

    if (setsockopt (sslSocket, SOL_SOCKET, SO_RCVTIMEO, (char *)&timeout,sizeof(timeout)) < 0)
    {
    Debug("ERROR setsockopt SO_RCVTIMEO");
    close(sslSocket);
    return -1;
    }

    if (setsockopt (sslSocket, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout,sizeof(timeout)) < 0)
    {
    Debug("ERROR setsockopt SO_SNDTIMEO");
    close(sslSocket);
    return -1;
    }
    Debug("connecting");
    if (connect(sslSocket,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0)
    {
    Debug("ERROR connection:%d",2);
    close(sslSocket);
    return -1;
    }

    //nonblock(sslSocket);

    return sslSocket;
    }

    ReplyDelete
  12. hi... thanks good job, ... but now i want to authenticate the client too... could you help me? pleeease

    ReplyDelete
    Replies
    1. //SSL-Client.c
      #include
      #include
      #include
      #include
      #include
      #include
      #include
      #include
      #include
      #include

      #define FAIL -1

      //Added the LoadCertificates how in the server-side makes.
      void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
      {
      /* set the local certificate from CertFile */
      if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
      {
      ERR_print_errors_fp(stderr);
      abort();
      }
      /* set the private key from KeyFile (may be the same as CertFile) */
      if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
      {
      ERR_print_errors_fp(stderr);
      abort();
      }
      /* verify private key */
      if ( !SSL_CTX_check_private_key(ctx) )
      {
      fprintf(stderr, "Private key does not match the public certificate\n");
      abort();
      }
      }

      int OpenConnection(const char *hostname, int port)
      { int sd;
      struct hostent *host;
      struct sockaddr_in addr;

      if ( (host = gethostbyname(hostname)) == NULL )
      {
      perror(hostname);
      abort();
      }
      sd = socket(PF_INET, SOCK_STREAM, 0);
      bzero(&addr, sizeof(addr));
      addr.sin_family = AF_INET;
      addr.sin_port = htons(port);
      addr.sin_addr.s_addr = *(long*)(host->h_addr);
      if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
      {
      close(sd);
      perror(hostname);
      abort();
      }
      return sd;
      }

      SSL_CTX* InitCTX(void)
      { SSL_METHOD *method;
      SSL_CTX *ctx;

      OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
      SSL_load_error_strings(); /* Bring in and register error messages */
      method = SSLv3_client_method(); /* Create new client-method instance */
      ctx = SSL_CTX_new(method); /* Create new context */
      if ( ctx == NULL )
      {
      ERR_print_errors_fp(stderr);
      abort();
      }
      return ctx;
      }

      void ShowCerts(SSL* ssl)
      { X509 *cert;
      char *line;

      cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
      if ( cert != NULL )
      {
      printf("Server certificates:\n");
      line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
      printf("Subject: %s\n", line);
      free(line); /* free the malloc'ed string */
      line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
      printf("Issuer: %s\n", line);
      free(line); /* free the malloc'ed string */
      X509_free(cert); /* free the malloc'ed certificate copy */
      }
      else
      printf("No certificates.\n");
      }

      int main()
      { SSL_CTX *ctx;
      int server;
      SSL *ssl;
      char buf[1024];
      int bytes;
      char hostname[]="127.0.0.1";
      char portnum[]="5000";
      char CertFile[] = "/home/myCA/cacert.pem";
      char KeyFile[] = "/home/myCA/private/cakey.pem";

      SSL_library_init();

      ctx = InitCTX();
      LoadCertificates(ctx, CertFile, KeyFile);
      server = OpenConnection(hostname, atoi(portnum));
      ssl = SSL_new(ctx); /* create new SSL connection state */
      SSL_set_fd(ssl, server); /* attach the socket descriptor */
      if ( SSL_connect(ssl) == FAIL ) /* perform the connection */
      ERR_print_errors_fp(stderr);
      else
      { char *msg = "Hello???";

      printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
      ShowCerts(ssl); /* get any certs */
      SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */
      bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
      buf[bytes] = 0;
      printf("Received: \"%s\"\n", buf);
      SSL_free(ssl); /* release connection state */
      }
      close(server); /* close socket */
      SSL_CTX_free(ctx); /* release context */
      return 0;
      }

      Delete
    2. Nice, but how do you do on the server side ? What is the function implied in checking if the client has a certificate ? Thank you !

      Delete
  13. Thank you very much for this code ! However, I have e little problem: I would like to authenticate the client but I don't understand how to do. I put the function "LoadCertificate" in the client side, but the server still says "No certificates.". I don't understant which function is implied in checking the certificate. Could you help me please ?

    ReplyDelete
    Replies
    1. I have the same question regarding client authentication. I got it work immediately like in the main example given above, updated the client code to use the client certificate and client private key, but how to actually make the server aware of it so that it authenticates the client?

      Thanks a lot in advance for any help!

      Delete
    2. Exactly the same case here. If anybody could shed some light on this issue, I would be very grateful.

      Anyway, best example so far.

      Delete
    3. Same problem I cannot get the server output to show the client certificates. The SSL_get_peer_certificate should return the certificate object of the client but it returns null for some reason. Can someone please put up a solution?

      Delete
    4. How the code worked without a client certificate and key ? I put the function "LoadCertificate" in the client side, but the server still says "No certificates."
      How can I fix this please help .
      Have a nice day.

      Delete
    5. Hi,

      Client authentication is not mandatory. That's the reason why the code works fine.

      Delete
  14. Hi after coding and compiling successfully if i want to test this server client program then how do i done that?
    Suppose i want to check both program in my pc only then how can i done that?

    ReplyDelete
  15. If i want to test this both program in my same linux PC how can i do that?

    ReplyDelete
    Replies
    1. For server
      sudo ./<server-executable-name> <port-number>

      For client
      ./<client-executable-name> <hostname> <port-number>

      In case of same machine
      ./<client-executable-name> localhost <port-number>

      Delete
  16. Need help here, under SSL initializing code 'SSL_CTX* InitCTX(void)', I get an error on the following line:

    method = SSLv3_client_method();

    error is “Assigning to 'SSL_METHOD *' (aka 'ssl_method_st *') from incompatible type 'const SSL_METHOD *' (aka 'const ssl_method_st *')

    ReplyDelete
  17. HI, Varun,

    can do wee need to have the server and client certificates same or different? Do the CA authority needs to be the same ?
    In my case, the SSL_aacept() throws : 1152921504606846944:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3281:” on server side..

    Any suggestions!

    Thanks in advance :)

    ReplyDelete
  18. Hello Varun could you please post a video on "How to install valgrind on Linux"
    I am finding difficulties with './configure' and 'make'.
    Just groping in the dark with no absolutely no clue on how to go about installing valgrind.
    may help in some quick debugging for my code

    ReplyDelete
  19. Varun!
    Thank you so much for this page. Using what you put here I am able to read about the important functions, instead of having to wade through all of the OpenSSL man pages.

    Thank you!
    David

    ReplyDelete
  20. hi i am getting error at server program as assignment discards qualifiers from pointer target type

    ReplyDelete
  21. After compilation in server code ,getting warning in line no 56 as assignment discards qualifiers from pointer target type.

    ReplyDelete
  22. Hey varun, I am not able to download the libraries, plz suggest,

    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following extra packages will be installed:
    libssl-doc libssl1.0.0 zlib1g-dev
    The following NEW packages will be installed:
    libssl-dev libssl-doc zlib1g-dev
    The following packages will be upgraded:
    libssl1.0.0
    1 upgraded, 3 newly installed, 0 to remove and 362 not upgraded.
    Need to get 2,865 kB/3,048 kB of archives.
    After this operation, 8,276 kB of additional disk space will be used.
    Do you want to continue? [Y/n] y
    0% [Connecting to in.archive.ubuntu.com (2001:67c:1560:8001::11)]

    ReplyDelete
    Replies
    1. You can download the source from openssl website and build it yourself.

      Delete
  23. In openssl-1.0.2e, the file ssl.h has the type SSL (struct ssl_st) is defined. There is the following comment:

    /* session info */
    /* client cert? */
    /* This is used to hold the server certificate used. */
    struct cert_st /*CERT */ *cert

    Does that mean there is no support in openssl infrastructure for Client-side certificate?
    Any idea, how much work is it to add it in? Varun? others?

    ReplyDelete
    Replies
    1. Openssl certainly supports client side certificates. Applications like nginx use it extensively. Also the test tool s_client also supports client side certificates. I do not have a working implementation for it. But you can search through openssl s_client source code to get an idea

      Delete
  24. Hey,
    I captured packets through wireshark, but I can't see any handshake steps taking place, those are just plain TCP packets. Are'nt we supposed to see the handshake happening?

    ReplyDelete
  25. I couldn't see the handshake happening through wireshark. Aren't we supposed to see the handshake here!?

    ReplyDelete
    Replies
    1. Try to put a filter on the port on which you're communicating and SSL handshake should be visible.

      Delete
  26. hi Varun ,

    thank you so much for the code . can you help me with the below problem

    i tried running the code as you said with mycert.pem , but still im getting segmentation fault on server side and on client side the certifcates are showing can you kindly help me on this

    thank you so much for your help ...

    let me know if there is anything else that i can do for you ...

    my email address is :vbsurendar@gmail.com

    ReplyDelete
  27. hi Varun ,

    thank you so much for the code . can you help me with the below problem

    i tried running the code as you said with mycert.pem , but still im getting segmentation fault on server side and on client side the certifcates are showing can you kindly help me on this

    thank you so much for your help ...

    let me know if there is anything else that i can do for you ...

    my email address is :vbsurendar@gmail.com

    ReplyDelete
  28. Try ssldump, it shows the handshake. It works for me.

    Atul

    ReplyDelete
  29. thanks atul , can you help me on how to use ssldump in this code . im very sorry to distrub you since this is new to me ..please help me on this

    ReplyDelete

Post a Comment

Please post your valuable suggestions