Here's my question.
Right now I have a Linux server application (written using C++ - gcc) that communicates with a Windows C++ client application (Visual Studio 9, Qt 4.5.)
What is the very easiest way to add SSL support to both sides in order to secure the communication, without completely gutting the existing protocol?
It's a VOIP application that uses a combination of UDP and TCP to initially set up the connection and do port tunneling stuff, and then uses UDP for the streaming data.
I've had lots of problems in the past with creating the security certificates from scratch that were necessary to get this stuff working.
Existing working example code would be ideal.
Thank you!
SSL is very complex, so you're going to want to use a library.
There are several options, such as Keyczar, Botan, cryptlib, etc. Each and every one of those libraries (or the libraries suggested by others, such as Boost.Asio or OpenSSL) will have sample code for this.
Answering your second question (how to integrate a library into existing code without causing too much pain): it's going to depend on your current code. If you already have simple functions that call the Winsock or socket methods to send/receive ints, strings, etc. then you just need to rewrite the guts of those functions. And, of course, change the code that sets up the socket to begin with.
On the other hand, if you're calling the Winsock/socket functions directly then you'll probably want to write functions that have similar semantics but send the data encrypted, and replace your Winsock calls with those functions.
However, you may want to consider switching to something like Google Protocol Buffers or Apache Thrift (a.k.a. Facebook Thrift). Google's Protocol Buffers documentation says, "Prior to protocol buffers, there was a format for requests and responses that used hand marshalling/unmarshalling of requests and responses, and that supported a number of versions of the protocol. This resulted in some very ugly code. ..."
You're currently in the hand marshalling/unmarshalling phase. It can work, and in fact a project I work on does use this method. But it is a lot nicer to leave that to a library; especially a library that has already given some thought to updating the software in the future.
If you go this route you'll set up your network connections with an SSL library, and then you'll push your Thrift/Protocol Buffer data over those connections. That's it. It does involve extensive refactoring, but you'll end up with less code to maintain. When we introduced Protocol Buffers into the codebase of that project I mentioned, we were able to get rid of about 300 lines of marshalling/demarshalling code.
I recommend to use GnuTLS on both the client and the server side, only for the TCP connection. Forget about the UDP data for now. The GnuTLS documentation has example code for writing both clients and servers. Please understand that at least the server side (typically the TCP responder) needs to have a certificate; the client side can work with anonymous identification (although there is even an example without server certificate, using only DH key exchange - which would allow man-in-the-middle attacks).
In general, it is likely that you will have to understand the principles of SSL, no matter what library you use. Library alternatives are OpenSSL (both Unix and Windows), and SChannel (only Windows).
Have you tried the SSL support in Boost.Asio or ACE? Both use OpenSSL under-the-hood, and provide similar abstractions for TCP, UDP and SSL. Sample code is available in both the Boost.Asio and ACE distributions.
One thing you may need to keep in mind is that SSL is record-oriented instead of the stream-oriented (both TCP and UDP). This may affect how you multiplex events since you must, for example, read the full SSL record before you can call a read operation complete.
To help handle this with no changes to the application yo may want to look at the stunnel project (http://www.stunnel.org/). I don't think that it will handle the UDP for you though.
The yaSSL and CyaSSL embedded SSL/TLS libraries have worked well for me in the past. Being targeted at embedded systems, they are optimized for both speed and size. yaSSL is written in C++ and CyaSSL is written in C. In comparison, CyaSSL can be up to 20 times smaller than OpenSSL.
Both support the most current industry standards (up to TLS 1.2), offer some cool features such as stream ciphers, and are dual licensed under the GPLv2 and a commercial license (if you need commercial support).
They have an SSL tutorial which touches on adding CyaSSL into your pre-existing code as well: http://www.yassl.com/yaSSL/Docs-cyassl-manual-11-ssl-tutorial.html
Product Page: http://yassl.com/yaSSL/Products.html
Regards,
Chris
Related
Is it possible to use Protobuf with UDP in gRPC?
The gRPC interface seems to be entirely based on TCP connections. The only example for UDP that I could find is the one in the gRPC source code in the following three files , but this example seems to be quite different than what gRPC's RPC layer offers, for example it has no notion of stubs, and it doesn't use Protobuf and instead use raw payload, etc.
src/core/lib/iomgr/udp_server.h
src/core/lib/iomgr/udp_server.cc
test/core/iomgr/udp_server_test.cc
July 9th, 2015 (grpc-go#241)
No, we need a reliable channel and UDP is not supported. There has been discussion with playing with things like QUIC, but we aren't currently trying it out and it would be even longer before we decided whether we would support it.
May 15th, 2018 (grpc#9493)
Closing this - we have no plan to support unreliable packets at the moment. If we have any particular protocol that can fit the use cases listed above, we will probably do a grfc first..
August 6th, 2018 (grpc-go#241)
We are working on new interface/abstractions between the grpc & transport packages to make it possible for custom transports (UDP could be one of them) to be implemented.
Incidentally, Cap'n Proto has UDP on their roadmap. I thought it was a joke at first, but it's real (...unless I'm still being trolled 😂), and written by the original author of proto2 at Google
Sorry, UDP support in gRPC is not enabled. As you observed, there is no way to actually access the limited udp support that currently exists. I do not know when or if this will change.
While searching the web looking for a networking library I came across the two and I began reading what the were about. Correct me if I am wrong but my understanding is that Opentnl is for sending stuff between a client and a server while Openssl is for securing that connection. In the case that this conclusion is correct, would it be possible to use the two in Union? ( With some work implementing of course.)
Sure, it is possible. You can use the encryption API in OpenSSL and build your own encrypted data to communicate via the Torque Net lib. It isn't something you can just plug in, and isn't as simple as the TCP socket stuff in OpenSSL, but I've done something similar to write a UDP based VPN with SSLeay (predecessor to OpenSSL). As an example, you can initialize a "session" of your own using RSA, then encrypt/decrypt from a buffer with AES (or some other algorithm that has hardware support for least latency).
I don't actually know much about TNL, it may already include some encryption support. I'd check that first.
I am implementing a messaging system using C++ and Qt. After much thought, I have determined that multicasting or a multicast-style technique will work best to solve my problem. However, I have learned about UDP's unreliability and believe it to be unacceptable.
My requirements are as follows:
Messages are to be sent in a binary serialized form.
From any given node on the network, I must be able to send messages to the other nodes.
Message delivery must be insured.
I have heard of OpenPGM and NORM as alternatives for UDP. If anyone has experience with either of these, could you please share?
I am also open to the possibility of implementing "reliable" multicast by myself, in the application layer, but I would prefer not to if there is a library that already implements this.
I am using C++ and Qt, therefore .NET or Java-based solutions are not acceptable unless they are open-source and I may port them to C++.
Thank you very much.
EDIT 20120816T1853 MDT: An additional question: would either PGM or NORM have to be implemented at the hardware/IP level? Or can they be overlayed on top of existing protocols?
We have implemented our own reliable multicast protocol over UDP called RSP, since we needed something cross-platform and at the time couldn't find a good solution between Linux and Windows. The Windows PGM implementation disconnects slow clients which leave the send window, whereas our implementation throttles the sender similar to TCP. Afaik OpenPGM can be configured to do the same.
The open source NORM at http://cs.itd.nrl.navy.mil/work/norm can be built as a library and has C++ API with Python and Java language bindings. If you ping the developer (me) via the mailing list, I can help get you started.
There is a large RFC division of reliable multicast protocols, and many implementations out there. It's a long time since I looked at this but there are TRAM, LRMP, ...
I would like to create a chat application(desktop-app) in c++, so which protocol i would need to study and implement. UDP(?)
Please provide me some good thoughts and advices and links also.
UDP protocol is not the best choice for Internet chat program. UDP packets will be blocked by proxies. And UDP doesn't guarantee packets delivery. So probably TCP protocol will be a better choice.
Take a look on Boost.Asio Library. It already contains primitive implementation of chat program.
You don't give us much details here!
If your purpose is really to make a fully working and feature full chat application I suggest you look at XMPP which is an open instant-messenging protocol. Here is a list of some libraries implementing it.
If your purpose is to study network programming and you're more interested in UDP versus TCP for instance, then UDP is a bad choice for a chat application as it does not guarantee much about data integrity or ordering. Your messages might (and will!) be received in bad order or some might even be missing. TCP does that for kind of check for you.
In between (a very simple chat app) you can implement your very own protocol and use libraries others have suggested here like Boost.asio, ACE, POCO, or even wxWidgets and Qt, which will ease socket handling and also provide what you need to build a desktop app for the last 2.
Try using Boost.Asio. There are some examples of chat applications included in documentation.
You can use or look at an open-source networking library like ACE. A lot of goodies there.
You could use an existing library that handles instant messaging protocols, such as libpurple.
UDP is like a 'shoot and forget' kind of protocol. It's fast, but if you use it for communicating over the internet, there's no guarantee your messages will be recieved at all. Even if it's LAN, your packets can still be lost. It would be more convenient to use TCP which makes sure your packets arrive without errors and in the order you sent them.
I'm using C++/boost::asio under Win7.
I'm trying to "sniff" trafic over a given TCP/IP port. Hence, I'd like to listen on that port, receive messages, analyze them, but also immidately allow them to flow further, as if I never intercepted them. I want them to sink into the program that normally listens and connects on that port. Imagine a transparent proxy, but not for HTTP.
I'd rather find a code-based solution, but barring that, maybe you would suggest a tool?
what you are trying to do is basically a firewall program.
On windows there is several approach to do that, you can hook winsock. The better (or not hacky) is to use TDI filter (you take a look a this) or to make a NDIS filter.
Microsoft also introduced new API, WPF and LSP. I think you have better to use it because the TDI filter and NDIS wrapper involve driver programming which complicated and can be time consuming.
If this is for a product you are developing you may want to take a look at the WinPcap library http://www.winpcap.org/ which you can embed into your own program.
If you just need to analyze for yourself, use one of the tools that uses WinPcap, I have had great success with WireShark; but check out the WinPcap site for other tools
You cannot use boost::asio (or any other socket based library) for this as it consumes all the traffic.