Queries over OpenSSL programs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Queries over OpenSSL programs

Rohan Shrivastava
Hello,

I am new to OpenSSL programming through C.

This is my first program, so I am not sure whether
I have achieved secure session between client and server or not,
though they are able to communicate
using SSL_write/read functions.

This is how I did the things

At server I loaded certificate & private key & after accepting
TCP connection I accepted SSL session request.
& then started communicating with Client.

At client I just used  SSLv3_method() & SSL_CTX_new() functions to get new
ctx object.
Here after setting up TCP connection I initiated SSL connection request,
& on success it communicates with server.

I tired to load Random file with the following code, but could not get
through,
so I did without random source (for both client & server).

#defile RANDOM "/dev/random"

if (!(RAND_load_file(RANDOM,1024*1024))) {
                printf("\n Error in loading random file");
                exit(0);
        }


I generated Certificate & Keys with the following commands

openssl -genrsa 1024 -out key.pem
openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem

Now my queries are:

[#]. How can I be sure that session is secure?

[#]. If they are able to communicate in a secured session,
then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?

[#]. How can I authenticate Clients (any sample code will help me a lot)
or what is function used for asking Client's certificate ?

[#]. Is the loading CAs list, required at the server/client (as here I did
not load) ,if required then how can I create such list as I am using this
in local network?

[#]. Also can I place the code here?


Any help will be highly appreciated

Thanks
-Rohan

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Queries over OpenSSL programs

Riaz Farnaz
use ssldump or tcpdump to view if the connection is being established in a secure manner

On 6/7/05, Rohan Shrivastava <[hidden email]> wrote:
Hello,

I am new to OpenSSL programming through C.

This is my first program, so I am not sure whether
I have achieved secure session between client and server or not,
though they are able to communicate
using SSL_write/read functions.

This is how I did the things

At server I loaded certificate & private key & after accepting
TCP connection I accepted SSL session request.
& then started communicating with Client.

At client I just used  SSLv3_method() & SSL_CTX_new() functions to get new
ctx object.
Here after setting up TCP connection I initiated SSL connection request,
& on success it communicates with server.

I tired to load Random file with the following code, but could not get
through,
so I did without random source (for both client & server).

#defile RANDOM "/dev/random"

if (!(RAND_load_file(RANDOM,1024*1024))) {
                printf("\n Error in loading random file");
                exit(0);
        }


I generated Certificate & Keys with the following commands

openssl -genrsa 1024 -out key.pem
openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem

Now my queries are:

[#]. How can I be sure that session is secure?

[#]. If they are able to communicate in a secured session,
then how come they completed SSL handshake without random number source
(I think it is required at time of Handshake)?

[#]. How can I authenticate Clients (any sample code will help me a lot)
or what is function used for asking Client's certificate ?

[#]. Is the loading CAs list, required at the server/client (as here I did
not load) ,if required then how can I create such list as I am using this
in local network?

[#]. Also can I place the code here?


Any help will be highly appreciated

Thanks
-Rohan

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



--
Thank you,
Best Regards
Riaz Ur Rahaman
Reply | Threaded
Open this post in threaded view
|

Re: Queries over OpenSSL programs

Rohan Shrivastava
Riaz,
Thanks for the help,
I am able to dump the packets using ssldump.

Some of my queries are still unanswered.
I am again pasting it here.

>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number source
>> (I think it is required at time of Handshake)?
>>
>> [#]. How can I authenticate Clients (any sample code will help me a lot)
>> or what is function used for asking Client's certificate ?
>>
>> [#]. Is the loading CAs list, required at the server/client (as here I
>> did not load) ,if required then how can I create such list as I am using
>> this in local network?
>>
>> [#]. Also can I place the code here?


Thanks
-Rohan



> use ssldump or tcpdump to view if the connection is being established in a
> secure manner
>
> On 6/7/05, Rohan Shrivastava <[hidden email]> wrote:
>>
>> Hello,
>>
>> I am new to OpenSSL programming through C.
>>
>> This is my first program, so I am not sure whether
>> I have achieved secure session between client and server or not,
>> though they are able to communicate
>> using SSL_write/read functions.
>>
>> This is how I did the things
>>
>> At server I loaded certificate & private key & after accepting
>> TCP connection I accepted SSL session request.
>> & then started communicating with Client.
>>
>> At client I just used SSLv3_method() & SSL_CTX_new() functions to get
>> new
>> ctx object.
>> Here after setting up TCP connection I initiated SSL connection request,
>> & on success it communicates with server.
>>
>> I tired to load Random file with the following code, but could not get
>> through,
>> so I did without random source (for both client & server).
>>
>> #defile RANDOM "/dev/random"
>>
>> if (!(RAND_load_file(RANDOM,1024*1024))) {
>> printf("\n Error in loading random file");
>> exit(0);
>> }
>>
>>
>> I generated Certificate & Keys with the following commands
>>
>> openssl -genrsa 1024 -out key.pem
>> openssl req -new -key key.pem -x509 -days 3650 -out server_crt.pem
>>
>> Now my queries are:
>>
>> [#]. How can I be sure that session is secure?
>>
>> [#]. If they are able to communicate in a secured session,
>> then how come they completed SSL handshake without random number source
>> (I think it is required at time of Handshake)?
>>
>> [#]. How can I authenticate Clients (any sample code will help me a lot)
>> or what is function used for asking Client's certificate ?
>>
>> [#]. Is the loading CAs list, required at the server/client (as here I
>> did
>> not load) ,if required then how can I create such list as I am using
>> this
>> in local network?
>>
>> [#]. Also can I place the code here?
>>
>>
>> Any help will be highly appreciated
>>
>> Thanks
>> -Rohan
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List [hidden email]
>> Automated List Manager [hidden email]
>>
>
>
>
> --
> Thank you,
> Best Regards
> Riaz Ur Rahaman
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]