I am quite new to secure networking and I am trying to make a simple networking program with boost asio ssl and I have read all of the documentation available and also lots of questions and answers, but no one has yet asked:
Can I make a simple encrypted network using boost asio ssl without all of the certificate and verifying stuff. Just a public/private key pair on both ends, then some sort of public key exchange (handshake?) and then secure communication?
If I am wrong or mistaken about something, please do correct me. Simple examples would be much appreciated.
See here for a minimal demo client/server using Boost Asio:
Boost Asio SSL Certification on iOS
This answer adds instructions on how to create a certificate and use it:
Some OpenSSL source that mysteriously doesn't work
Related
Pretty simple question, but I can't find any c++ libraries for using the github api... I already know how to use it in python, does that help? I am a c/c++ newb.
Thanks, Macaroonman
Is there any way to access the Github API with c++?
Yes.
can't find any c++ libraries
If there is no library, then you need to write the program yourself.
The github API is served through HTTP protocol. C++ has no standard HTTP client. Such client can be written by following the documentation in the RFC's maintained by IETF.
The HTTP communication is going to be over the TCP protocol. C++ has no standard TCP client. You'll find the RFC for TCP also from IETF if needed, but that is unlikely if you run your program on an operating system since the OS will probably provide a TCP API for you. To find find the relevant documentation, you must first know which OS you are targeting.
I am trying to implement secure communication between a server and client in c++. The limitation is that both the client and server must run on windows and have to be in c++. This is for a research project I am working on at my university.
So far I have found that SChannel is the best option, but the documentation is extremely confusing and I can not find any guides/tutorials on how to use it. I have already looked at this link https://learn.microsoft.com/en-us/windows/desktop/secauthn/creating-a-secure-connection-using-schannel but still do not understand how to get it working. Could someone guide me through this if this is the best way?
I also looked into use SSLStream using the CLR to have .net run inside of a c++ application. However I can not use this because the client application is threaded and threads can't be used with CLR.
I already have a dummy client and server set up with communication between the two, I am just trying to secure and encrypt that communication.
Any help is greatly appreciated!
Whichever SSL library you choose to use there are a few things you need to know as a beginner in this field:
The server and client implementations will end up looking quite different in places.
Your server is absolutely going to need a certificate with a private key. During development you clearly don't want to get one from Verisign or something so you need to create a self-signed certificate. You can do this with openssl or other tools.
The certificate consists of a private part and a public part. The public part needs to go to the client, and will be used to validate the connection. When you are using something like SChannel the certificates (private and public) will need to be installed in the certificate stores of the server and client respectively.
SChannel does not send or receive data for you. So the core of your implementation is going to be: when the network has data: read ciphertext from socket and write to SChannel. Read clear text from SChannel (if any) and pass to application. When the application has data to send, get clear text from Application and pass to SChannel. Get the resulting ciphertext buffers from SChannel and write to the socket.
buffers from the internet may be partial, and negotiations and re-negotiations means there's no 1:1 mapping of passing data into SChannel and getting data out.
You therefore can't get away with a naive implementation that calls SChannel once to pass data in, and once again to get un/encrypted data. There will potentially be nothing available, or a whole lot of packets to send between the client and the server, before you'll get any application bytes. i.e. You will need some kind of state machine to keeptrack of this.
Obviously, don't write both the client and server at the same time: Start with your client against an https server.
That's the general outline of the process - the things that confused me when I first encountered SSL and why none of the samples were nearly as simple as I had hoped them to be.
The TL;DR version
I'd like to know:
Where does the specification for the use of ECDHE get defined (in a cert parameter or a server configuration of SSL contexts, or elsewhere)?
In a non-home-rolled certificate setup, who's responsibility is it to define the ECDHE public and private information (the end user or cert provider)?
Can an existing Certificate which does not appear to use ECDHE be made to without causing issues with the Certificate?
Are there any examples of someone using SSL in Boost::ASIO with an ECDHE setup?
The Longer Version
We've been building an application which is using a proper-paid-for certificate from an external Cert Authority. The application uses a home-rolled server setup based off of Boost ASIO and Boost Beast, and we only recently noticed it doesn't play nice with iOS - ASIO says there is no shared cipher.
Reading into how TLS works has led me to the fact that some part of our server was preventing us from serving TLS using the ECDHE-* suite of ciphers (which iOS seems to want) - but I'm having difficulty in figuring out how to wrangle ASIO and our current cert/key into serving ECDHE.
What I've tried:
Using the same cert and key, adding in the results of openssl dhparam into ASIO using set_tmp_dh, then specifying ciphers. Curl reports that this allows a connection using DHE but not ECDHE. Specifying ciphers that only use ECDHE causes errors when connecting.
Trying to pass the output of openssl ecparam to ASIO using a similar method to the above. I've not been able to format something that ASIO accepts.
Trying to see if there is a way you can use the output of openssl ecparam with another combining function to modify the original cert into one that uses ECDHE. I clued onto this one from the OpenSSL wiki suggesting that if the cert does not contain the line ASN1 OID: prime256v1 (or a similar named curve), then it is not suitable for ECDHE usage.
At this point I'm unsure as to where the issue truly lies (in ASIO, in the certificates or in how I'm putting it all together) and most of the information on the internet I can find relates to home-rolling everything from scratch, rather than working with existing certs.
Update 11/05/19
https://github.com/chriskohlhoff/asio/pull/117 pulled in changes for ASIO with ECDHE. Will need to wait a while to see which Boost lib version it makes it into.
Original Answer
I seem to have found an answer for any googlers - ASIO does not appear to support ECDHE natively at the time of writing. This issue from the main repo suggests that ECDHE is on the cards for support but is not yet implemented.
Here is a link to the ECDHE implementation that's been waiting to be merged since 2016: https://github.com/chriskohlhoff/asio/pull/117.
+1 to get the attention of the Boost ASIO maintainer; he's been pretty slow with it.
Can I use boost asio for HTTPS requests? I can make GET and POST HTTP requests, but what about HTTPS? How can I handle it? Can somebody provide me a code snippet?
Yes you can.
http://www.boost.org/doc/libs/1_47_0/doc/html/boost_asio/example/ssl/client.cpp
Simply integrate it to your HTTP request.
Asio offers basic SSL support through OpenSSL. A code example is available as part of the documentation
In general, HTTPS is quite similar to HTTP, except for the fact that you have to perform an SSL handshake to initialize the connection. Asio offers an implementation for this.
The actual communication is quite easy, as you simply encrypt your HTTP stream, the actual communication patterns are the same.
Therefore, if the functionality offered by Asio is not flexible enough, you can also write your own encryption layer on top of Asio using OpenSSL (although I would not recommend this unless you already have a fair deal of experience with encryption).
I have to write an application that implements a secure connection between client and server using Microsoft API .
Google give me a lot of results, and I have a big mess -need someone to make me some order in my head:
Questions:
what is SSPI interface? what is Schannel.dll library? what are the diffrents? (I see that I can include "SSPI.h" and "Schannel.h" and "security32.h" - which header file do I really need?)
How can I find a real simple sample that explains me how to create secure sockets?
Do you have some guidelines that I have to know before I start?
I would appreciate very much if you can help.
SSPI allows an application to use various security models available on a computer or network without changing the interface to the security system.
To paraphrase, it allows you to use a single set of API with different authentication or verification mechanisms, thus hiding complexity.
For your second question, have a look at this: Creating a Secure Connection Using Schannel with related sample code here.