The OpenSSL API documentation is somewhat ambiguous. Because there isn't much tutorial on OpenSSL usage, it may be difficult for beginners to use it in an application. So how can we use OpenSSL to implement a basic secure connection? This tutorial will help you solve this problem.
The difficulty in learning how to implement OpenSSL lies in its incomplete documentation. Incomplete API documentation often prevents developers from using the API, which usually means that it is doomed to fail. However, OpenSSL is still very active and is gradually becoming more powerful. Why is that?
OpenSSL is the best known open library for secure communications. In the result of searching for "SSL library" in google, OpenSSL is at the top of the list. It was born in 1998 and originated from the SSLeay library developed by Eric Young and Tim Hudson. Other SSL toolkits include GNU TLS, which follows the GNU General Public License, and Mozilla Network Security Services (NSS) (see Resources later in this article for additional information).
So, what makes OpenSSL superior to GNU TLS, Mozilla NSS, or any other library? Licensing is a factor (see Resources). In addition, GNS TLS (by far) only supports the TLS v1.0 and SSL v3.0 protocols, nothing more.
The release of Mozilla NSS follows both the Mozilla Public License and the GNU GPL, which allows developers to make choices. However, Mozilla NSS is larger than OpenSSL and requires other external libraries to compile the library, and OpenSSL is completely self-contained. As with OpenSSL, most NSS APIs do not have documentation. Mozilla NSS has received PKCS #11 support, which can be used for encryption flags such as smart cards. OpenSSL does not have this support.
prerequisites
To fully understand and use this article, you should:
Proficient in C programming.
Be familiar with the preparation of Internet communications and Internet-enabled applications.
You are not absolutely required to become familiar with SSL because a brief explanation of SLL will be given later; however, if you would like a link to an article detailing SSL, see the Resources section. Having cryptography knowledge is good, but it is not necessary.
What is SSL?
SSL is an acronym that stands for Secure Sockets Layer. It is a standard that supports secure communication over the Internet and integrates data cryptography into protocols. The data is encrypted before it leaves your computer and is then decrypted only after it reaches its intended destination. Certificates and cryptographic algorithms support all of this. With OpenSSL, you will have the opportunity to experience them.
In theory, if encrypted data is intercepted or eavesdropped before it reaches the target, that data cannot be cracked. However, as computer changes have become faster and faster each year, and as new methods have been developed for password translation, the possibility of cracking encryption protocols used in SSL is increasing.
You can use SSL and secure connections for any type of protocol on the Internet, whether HTTP, POP3, or FTP. You can also use SSL to protect Telnet sessions. Although you can use SSL to secure any connection, you do not need to use SSL for each type of connection. If the connection transmits sensitive information, you should use SSL.
What is OpenSSL?
OpenSSL is more than just SSL. It can implement message digests, file encryption and decryption, digital certificates, digital signatures, and random numbers. There is a lot of content about the OpenSSL library, which is far from being contained in an article.
OpenSSL is not just an API, it is also a command line tool. The command line tool can do the same job as the API, and further, it can test the SSL server and client. It also gives developers an understanding of the capabilities of OpenSSL. For information on how to use the OpenSSL command line tool, see the Resources section.
What do you need
The first thing you need is the latest version of OpenSSL. Check the Resources section to determine where you can get the latest source code that you can compile yourself, or the latest version of the binaries (if you don't want to spend time compiling). However, for the sake of safety, I suggest you download the latest source code and compile it yourself. The binary version is usually compiled and distributed by a third party, not by OpenSSL developers.
Some Linux distributions come with a binary version of OpenSSL, which is sufficient for learning how to use the OpenSSL library; however, if you plan to do something practical, be sure to get the latest version and keep it there. It is the latest.
For Linux distributions installed in RPM form (Red Hat, Mandrake, etc.), we recommend that you update your OpenSSL distribution by obtaining the RPM package from the distribution manufacturer. For security reasons, it is recommended that you use the latest release version. If your distribution does not use the latest version of OpenSSL, it is recommended that you only overwrite the library file and do not overwrite the executable file. The FAQ document that comes with OpenSSL contains details about this.
Also note that OpenSSL does not have official support on all platforms. Although manufacturers have tried their best to make it cross-platform compatible, there is still the possibility that OpenSSL cannot be used for your computer and/or operating system. Please refer to the OpenSSL Web site (link in Resources) for information on which platforms are supported.
If you want to use OpenSSL to generate certificate requests and digital certificates, you must create a configuration file. In the OpenSSL package's apps folder, there is an available template file named openssl.cnf. I will not discuss this document because it is beyond the scope of this article. However, the template file has some very good comments, and if you search on the Internet, you can find many tutorials that discuss modifying this file.
Header files and initialization
There are only three header files used in this tutorial: ssl.h, bio.h, and err.h. They are all located in the openssl subdirectory and are all necessary to develop your project. To initialize the OpenSSL library, only three lines of code are required. Everything is listed in Listing 1. Other header files and/or initialization functions may be necessary for some other functions.
Listing 1. Required header file
Establishing a non-secure connection
Whether the connection is secure or insecure, OpenSSL uses an abstract library called BIO to handle various types of communication, including files and sockets. You can also set OpenSSL as a filter, such as for UU or Base64 encoded filters.
It's a bit of a hassle to explain the BIO library here, so I will introduce it little by little as needed. First, I will show you how to set up a standard socket connection. This operation requires fewer lines of code than using the BSD socket library.
Before establishing a connection (safe or not), create a pointer to a BIO object. This is similar to creating a FILE pointer for a file stream in standard C.
Listing 2. Pointers
1BIO * bio;
Open the connection
Creating a new connection requires calling BIO_new_connect. You can specify both the host name and the port number in the same call. You can also split it into two separate calls: one is the BIO_new_connect call that creates the connection and sets the host name, and the other is the BIO_set_conn_port (or BIO_set_conn_int_port) call that sets the port number.
In any case, once the host name and port number of the BIO have been specified, the pointer will try to open the connection. Nothing can affect it. If you have problems creating BIO objects, the pointer will be NULL. To ensure a successful connection, you must execute the BIO_do_connect call.
Listing 3. Create and open the connection
Here, the first line of code creates a new BIO object with the specified host name and port and formats the object in the style shown. For example, if you are connecting to port 80, the string will be:80. Call BIO_do_connect to check if the connection is successful. If an error occurs, 0 or -1 is returned.
Communicate with the server
Regardless of whether the BIO object is a socket or a file, the read and write operations performed on it are accomplished by the following two functions: BIO_read and BIO_write. It's simple, right? The highlight is that it always does.
BIO_read will attempt to read a certain number of bytes from the server. It returns the number of bytes read, 0 or -1. In a blocked connection, this function returns 0, indicating that the connection is closed, and -1 indicates that the connection has encountered an error. In the case of a non-blocking connection, a return of 0 means that there is no data available, and a return of -1 means a connection error. You can call BIO_should_retry to determine if it is possible to repeat the error.
Listing 4. Read from connection
BIO_write tries to write bytes to the socket. It will return the number of bytes actually written, 0 or -1. With BIO_read, 0 or -1 does not necessarily indicate an error. BIO_should_retry is the way to find out the problem. If you need to retry the write operation, it must use exactly the same parameters as the previous one.
Listing 5. Write to connection
Close the connection
Closing the connection is also very simple. You can close the connection in one of two ways: BIO_reset or BIO_free_all. If you still need to reuse the object, use the first method. If you do not reuse it, you can use the second method.
BIO_reset Closes the connection and resets the internal state of the BIO object so that the connection can be reused. This is useful if you want to use the same object throughout your application, such as using a secure chat client. This function does not return a value.
BIO_free_all does what it says: It releases the internal structure and frees all associated memory, including closing the associated socket. If BIO is embedded in a class, this call should be used in the destructor of the class.
Listing 6. Close the connection
Establish a secure connection
Now you need to figure out what needs to be done to establish a secure connection. The only place to change is to establish and connect. Everything else is the same.
Secure connection requires a handshake after the connection is established. During the handshake, the server sends a certificate to the client. The client then verifies the certificate against a set of trusted certificates. It will also check the certificate to make sure it is not expired. To verify that the certificate is trusted, you need to load a trusted certificate store before the connection is established.
The client sends a certificate to the server only when the server makes a request. This process is called client authentication. Use certificates to pass password parameters between the client and the server to establish a secure connection. Although the handshake is performed after the connection is established, the client or server can request a new handshake at any time.
The Netscasp article listed in the Resources section and RFC 2246 provide a more detailed discussion of handshakes and other aspects of establishing a secure connection.
Set up for secure connection
Make a few more lines of code for setting up a secure connection. At the same time, there is another pointer of type SSL_CTX. This structure holds some SSL information. You can also use it to establish an SSL connection through the BIO library. This structure can be created by calling SSL_CTX_new using an SSL method function, which is typically SSLv23_client_method .
You also need another SSL-type pointer to maintain the SSL connection structure (which is necessary for some connections to complete in a short time). You can use this SSL pointer later to check connection information or set other SSL parameters.
Listing 7. Setting SSL pointer
1 SSL_CTX * ctx = SSL_CTX_new (SSLv23_client_method());
2 SSL * ssl;
Load the trusted certificate store
After you create the context structure, you must load a library of trusted certificates. This is necessary to successfully verify each certificate. If you cannot confirm that the certificate is trusted, OpenSSL marks the certificate as invalid (but the connection can still continue).
OpenSSL comes with a set of trusted certificates. They are located in the certs directory of the source tree. However, each certificate is a separate file - that is, each certificate needs to be loaded separately. In the certs directory, there is also a subdirectory that holds expired certificates. Trying to load these certificates will be wrong.
If you wish, you can load each file separately, but for the sake of simplicity, the latest OpenSSL distributions of trusted certificates are usually stored in source code archives located in a single file named "TrustStore.pem". If you already have a library of trusted certificates and you plan to use it for a particular project, simply substitute your file for "TrustStore.pem" in Listing 8 (or use a separate function call to load them all) You can.
You can load SSL_CTX_load_verify_locations to load the trusted certificate repository file. There are three parameters used here: the context pointer, the path and file name of the trusted library file, and the path to the directory where the certificate is located. You must specify a directory of trusted library files or certificates. Returns 1 if the specification was successful and 0 if a problem was encountered.
Listing 8. Loading the truststore
If you plan to use a directory to store trusted libraries, you must name the files in a specific way. The OpenSSL documentation clearly shows how it should be done, but OpenSSL ships with a tool called c_rehash that configures the folder as a path parameter for SSL_CTX_load_verify_locations.
Listing 9. Configure the certificate folder and use it
To specify all required verification certificates, you can name any number of individual files or folders as needed. You can also specify files and folders at the same time.
Create a connection
Using the pointer to the SSL context as the only parameter, use BIO_new_ssl_connect to create the BIO object. You also need to get a pointer to an SSL structure. In this article, use this pointer only for the SSL_set_mode function. This function is used to set the SSL_MODE_AUTO_RETRY flag. Use this option to set it up. If the server suddenly wants a new handshake, OpenSSL can handle it in the background. Without this option, when the server wishes to perform a new handshake, a read or write operation will return an error and the retry flag will be set in the process.
Listing 10. Setting up BIO objects
After you set up the SSL context structure, you are ready to create the connection. The host name is set using the BIO_set_conn_hostname function. The host name and port are specified in the same format as before. This function can also open the connection to the host. In order to confirm that the connection has been successfully opened, a call to BIO_do_connect must be performed. The call will also perform a handshake to establish a secure connection.
Listing 11. Opening a secure connection
After the connection is established, the certificate must be checked to determine if it is valid. In fact, OpenSSL completed this task for us. If the certificate has a fatal problem (for example, an invalid hash value), then the connection cannot be established. However, if the problem with the certificate is not fatal (when it is expired or not yet legal), the connection can still be used.
You can use the SSL structure as the only parameter and call SSL_get_verify_result to find out if the certificate passed OpenSSL's validation. If the certificate passed an internal check of OpenSSL including trust checking, X509_V_OK is returned. If there is a problem somewhere, an error code is returned, which is recorded under the verify option of the command line tool.
It should be noted that failing to verify does not mean that the connection cannot be used. Whether you should use the connection depends on the verification results and security considerations. For example, failed trust verification may simply mean that there are no trusted certificates. The connection is still available, but it is only necessary to raise awareness of security.
Listing 12. Checking whether the certificate is valid
This is all the operations you need. Typically, BIO_read and BIO_write are used to communicate with the server. And just call BIO_free_all or BIO_reset to close the connection. Which method to call depends on whether or not BIO is reused.
The SSL context structure must be released sometime before ending the application. You can call SSL_CTX_free to release the structure.
Listing 13. Clear SSL context
1 SSL_CTX_free(ctx);
Error detection
Obviously OpenSSL throws some sort of error. what does this mean? First, you need to get the error code itself; ERR_get_error can do this task; then, you need to convert the error code to an error string, which is a pointer to a permanent string that is loaded into memory by SSL_load_error_strings or ERR_load_BIO_strings. This can be done in a nested call.
Table 1 outlines how to retrieve errors from the error stack. Listing 24 shows how to print the last error message in a text string.
Table 1. Retrieving errors from the stack
Listing 14. Print the last error
1 printf("Error: %s", ERR_reason_error_string(ERR_get_error()));
You can also have the library give a pre-formatted error string. You can call ERR_error_string to get this string. This function takes the error code and a pre-allocated buffer as arguments. And this buffer must be 256 bytes long. If the argument is NULL, OpenSSL writes the string to a static buffer of length 256 bytes and returns a pointer to the buffer. Otherwise, it will return the pointer you gave. If you select the static buffer option, the buffer will be overwritten the next time ERR_error_string is called.
Listing 15. Getting a pre-formatted error string
1 printf("%s", ERR_error_string(ERR_get_error(), NULL));
You can also dump the entire error queue to a file or BIO. This can be done with ERR_print_errors or ERR_print_errors_fp. The queue is dumped in a readable format. The first function sends the queue to BIO, and the second function sends the queue to FILE. The string format is as follows (quoted from OpenSSL documentation):
[pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
Where [pid] is the process ID, [error code] is an 8-digit hexadecimal code, [file name] is the source code file in the OpenSSL library, and [line] is the line number in the source file.
Listing 16. Dump error queue
1 ERR_print_errors_fp(FILE *);
2 ERR_print_errors(BIO *);
Start doing it
Creating a basic connection using OpenSSL is not difficult, but when trying to determine what to do, documentation can be a small hurdle. This article introduces you to some of the basic concepts, but there are still a lot of flexibility in OpenSSL to be explored, and you may also need some advanced settings so that the project can take full advantage of the capabilities of SSL.
There are two examples in this article. One sample shows a non-secure connection to http:// and the other shows a secure SSL connection to http://. Both are connected to the server and download their home page. They do not perform any security checks, and all settings in the library are default values ​​- as part of this article, these should only be used for educational purposes.
On any supported platform, the compilation of the source code should be very easy, but I suggest you use the latest version of OpenSSL. At the time of this writing, the latest version of OpenSSL is 0.9.7d.
Karaoke Speakers,Karaoke Bluetooth Speaker,Led Karaoke Speaker,Karaoke Speaker For Family
Comcn Electronics Limited , https://www.comencnspeaker.com