SChannel/SSL implementation? - c++

I can implement HTTP using "win sockets" easily , but I've been struggling to implement HTTPS using "SChannel" which is pretty much poorly documented "at least for me". How can I establish a secure connection for HTTPS communication and is there any security or performance considerations I should be aware of?

SChannel integrated quite well with Windows and allows you to perform authentication without asking the user's credentials. Schannel works on a lower level than HTTP. It allows you to open secure tcp connections (ssl socket). You need to implement you own HTTP stack to send HTTPS requests or find a library. To get used to Schannel the best place to start is to understand Microsoft's samples which is a client-server example:
Client
Server
They are pretty simple examples but enough to understand the basics.
Curl has been using Schannel for a while and you can find some very useful code for your exercise https://github.com/curl/curl/blob/master/lib/vtls/schannel.c.
Security is a big topic and that's the purpose of Schannel. You will inherit the security risks of the operating system. Microsoft usually patches security issues quickly. If you are targeting Windows only, it is a good choice because of the deep integration to the Windows ecosystem. For example, you don't have to deploy your own ssl certificates like you do with openssl, Schannel will read the system certs automatically. You can also implement NTLM and Kerberos authentication easily without having to ask for credentials, Schannel will get a credentials handle from the user running your software. In general, it is pretty good library and as far as I know there is no performance penalty compared to other SSL libraries. It well tested and deployed to millions of machines around the world.

Related

Authenticate linux client app to windows server app via kerberos or any secure protocol

I need some guides or keywords I can use for my additional research.
Assume there are client and server apps written in C++. There is a possibility to pass blobs from client to server and vise versa. On windows, we can introduce Kerberos utilization, generating, processing such blobs, accepting it, impersonating threads, etc. There are some examples on msdn. It's not so simple, but I've managed to make it work.
But what if my client runs on linux machine? The simplest and unsecured way of authentication is to pass username/domain/password of user in raw format via blobs. But if I want to use Kerberos? So, the questions are:
What preconditions do I need to have on client linux machine? My first thoughts were about some kind of samba/winbind things installed there. I heard samba authenticates to windows AD via Kerberos.
Is there any good examples of performing Kerberos handshake on linux? I know there are some examples on MIT website. Should I use these ones? I guess it's not so easy to make it work in a right way and test it (actually I KNOW it from my windows experience).
The API you should investigate is GSSAPI. If the windows server application uses SSPI ( the windows version of GSSAPI ) then you should be able to write an interoperable client using GSSAPI. It really depends on exactly how the windows server uses SSPI though. See MSDN SSPI for some details.
The MIT kerberos libraries are available with most linux distributions and have all the libraries you need to do GSSAPI with kerberos.
GSSAPI is a library for wrapping data, you still need to implement the resulting protocol exchange. Depending on exactly how the windows server is written this may be quite complex.
It is possible to use Active Directory as your KDC for writing linux client/server kerberos applications. Looking at the Linux Samba code should
help you understand some of the issues involved in writing a linux client
for windows based services.

Supporting Web Services from a Win/MFC/C++ App

I am looking for the best way to add support for a REST based Web Service to an MFC C++ Application. This is legacy code that has been around a long time.
I need to have the Application provide the Web Service. I've researched this, and the articles are about consuming Web Services in a C++ App. I envision having to monitor a port and respond to the HTTP requests. It would probably make more sense to tie in with WCF and IIS, but I am not sure how to move forward.
I already have a tool of "making" this App into a Windows Service. I realize it would be better to have a "real" app, and this is what I have to work with. There is so much logic in this code and we are limited in development time, so we are taking the fastest approach possible. We also cannot use DCOM, as the Web Service will be called by a Linux based system.
Any suggested articles would be much appreciated.
For C++ you can test two libraries WSF/C and gSoap, another alternative is to develop it with C# and WCF , and communicate between C# and C++ using C++\CLI.
I use the Poco Net c++ library for this as it supports both HTTP client and server functionality. I considered various other libraries including Boost based stuff, but other than Poco I struggled to find everything I needed in one tidy package. It also has some easy to use mutex support which became essential for me as soon as I added a web server front-end to what had previously been a simple single threaded console app. Poco is cross platform but I mainly use it windows and it has served me well to date. I'm not very clued up on MFC so I don't know how it would get on in that department though.

C++ programming for HTTPS

I am a C++ programmer new to HTTPS. I need to write a COM based windows service in C++ which can handle HTTPS requests. But for that I would need to understand how the technologies and protocol fit together.
I understand this is a very open ended question but my intent is to find some documentation that introduces a C++ programmer to HTTPS programming.
Thanks in advance.
Writing your own HTTP server is no minor undertaking (if you want to get everything right), and writing one to support SSL is even more difficult. You would be much better advised to use one of the many open source servers (see here for a list), many of which can be embedded in your c++ code. Personally, I have found Mongoose very easy to embed in C++ code.
The other option for windows vista/Windows Server 2008 or later is to use the IIS Hostable core. For client versions this is available even in home basic, though IIS is not.
This does basically all the work of the HTTP and HTTPS protocols for you and all that is left to do is write the callback functions which define what to send out over the pipe.

Web service encryption

We developed a web service which is accessed by various platforms clients, for example it is requested by c++ and Java enabled clients.
I want to use simple, effective encryption Algorithm which is easily decrypted by JAVA - C++ and JAVA script based clients.
Why not just deliver your service over HTTPS?
Why write anything?
The most widely-compatible method of Web Service security that is still actually secure is Transport with Message Credentials. This uses SSL (https) for transport-layer security, which handles the encryption aspect, and passes a username/password in the SOAP header, which handles the authentication side.
It is not as secure as mutual-certificate authentication, which also gives you non-repudiation, but it is good enough for the vast majority of applications.
Several other options exist, but T/MC is usually the easiest to get working across platforms (.NET, Java, C++).
If you need to add javascript into the mix then I'm afraid you may be disappointed, as that is a serious game-changer. Although there do seem to exist various JavaScript SOAP Client implementations, SOAP is a second-class citizen in the JavaScript world, and I don't believe that any existing libraries have proper support for WS-Security or really WS-Anything except for the basic profile.
If you want your web service to be consumable by JavaScript then you want to go for REST instead of SOAP. I know that .NET (WCF) is pretty good at this but I'm not too sure how well Java and C++ fare. I believe that the transport security should be simple enough (it's just SSL), but it's likely that you'll have to implement some custom authentication code to get it working across platforms. Either way, you definitely want to go the SSL route; please do not try to roll your own encryption scheme.
If you already have the service implementation which is Base profile compliant and you want to keep on supporting various platform clients, extend your current service with WS-Security/WS-Trust. This will allow for encrypting/signing the content of the message, without loosing interoperability.
Depending on which toolset you used for your original implementation, the inclusion of WS-Security can be as easy as 'flicking a switch and selecting some options in your configuration file' (WCF/ASMX+WSE).
Since you mention the various platforms client side, I assume this is one of your main requirements.
Hope this helps.
You can simply use HTTPS which is easily implementable in both C++/Java clients (e.g. using the GNUtls library). On the server side, you will only need some small configuration changes.
Apart from the different request code, you have to create a self-signed SSL server certificate and install it on the clients. Of course this is not a good idea if the web service is public, where you need trust (= a real SSL certificate). But if it's only used internally, self-signed certificates are a quite good solution, as long as you keep the private key secret.

How can I make networking work in my WinCE app without launching IE first?

I have a simple WinCE network application (in C, Win32 APIs). I find that networking doesn't seem to work unless I launch IE (or another network app) first. I assume that IE is setting up my network interface in some way.
How can I do this for myself?
Might I need to display a list of available interfaces to the user (eg. WiFi/Ethernet/3G)?
Thanks.
All I know is that Internet Explorer uses WinInet (wininet.dll) for its networking, and you can too. WinInet is a MS API for working with http and ftp protocols. Many of the settings on the "Internet Options" control panel applet are actually WinInet settings (e.g. for dealing with cookies, setting up proxies on LANs, and autodial on dial-up networks). I'm 99% sure that anything that IE can do, you can do yourself using the API.
I think the answer might be
InternetAttemptConnect
http://msdn.microsoft.com/en-us/library/aa383996(VS.85).aspx
If by "network application" you mean sockets, then WinCE definitely does not require IE to launch for that to work. You'll need to provide more specifics about what you're trying to do for a better answer than that.
You need to establish a network connection first. You can automate the process using the connection manager API:
Connection Manager
The user can also raise a data connection manually.