r06 SSL
r06 SSL
Athula Balachandran
Wolfgang Richter
PJ1 Final Submission
● SSL server-side implementation
● CGI
● Daemonize
SSL – Stuff you already know!
● Standard behind secure communication on the
Internet.
● Data encrypted before it leaves your computer
and decrypted only at the computer.
● Hope is it is impossible to crack and eavesdrop!
● Can be used with HTTP, POP3, Telnet etc.
OpenSSL
● Can do a lot more than SSL
● Message digests
● Encryption and decryption of files
● Digital certificates
● Digital signatures
● Random number generation
Setup domain name
● Create a DNS hostname for yourself with a free
account at DynDNS (or already have a domain
name...)
● Don't buy anything, they offer free subdomains
and scripts/programs to
auto-update the DNS mapping for you.
Set up CA and get certificate
● Add the 15-441 Carnegie Mellon University
Root CA to your browser (import certificate,
usually somewhere in preferences)
● Obtain your own private key and public
certificate from the 15-441 CMU CA.
Implementation
BIO * BIO_new(BIO_s_socket());
BIO_set_fd(sbio, sock, BIO_NOCLOSE);
SSL_set_bio()
● Connects the BIOs rbio and wbio for the read
and write operations of the TLS/SSL
(encrypted) side of ssl
buf_io = BIO_new(BIO_f_buffer());
/* create a buffer BIO */
ssl_bio = BIO_new(BIO_f_ssl());
/* create an ssl BIO */
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
/* assign the ssl BIO to SSL */
BIO_push(buf_io, ssl_bio);
BIO_read() and BIO_write()
● Attempts to read len bytes from BIO b and
places the data in buf.
int BIO_read(BIO *b, void *buf, int len);
● Attempts to write len bytes from buf to BIO b.
int BIO_write(BIO *b, const void *buf, int len);
Foreground Processes
and
Background processes (daemons)
How to daemonize?
Orphaning
● Fork the process to create a copy (child)
● Let parent exit!
● The child will become child of init process
– Start operating in the background
int i, lfp, pid = fork();
if (pid < 0) exit(EXIT_FAILURE); /* fork error */
if (pid > 0) exit(EXIT_SUCCESS); /* parent exits */
/* child (daemon) continues */
How to daemonize?
Process Independency
● Process inherits parent's controlling tty
● Server should not receive signals
● Detach from its controlling tty
● Operate independently from other processes
umask(027);
How to daemonize?
Running directory
● Server should run in a known directory
chdir(“/servers/”)
How to daemonize?
Mutual Exclusion
● We want only one copy of the server (file locking)
● Record pid of the running instance!
● 'cat lisod.lock' instead of 'ps -ef | grep lisod'
lfp = open(lock_file, O_RDWR|O_CREAT|O_EXCL, 0640);
if (lfp < 0)
exit(EXIT_FAILURE); /* can not open */
if (lockf(lfp, F_TLOCK, 0) < 0)
exit(EXIT_SUCCESS); /* can not lock */
/* only first instance continues */
sprintf(str, "%d\n", getpid());
write(lfp, str, strlen(str)); /*record pid to lockfile */
How to daemonize?
Catching signals
● Process may receive signal from a user or a
process
● Catch those signals and behave accordingly.
● Signal_Handler function in the sample code
How to daemonize?
● Logging
● Assignment – you need to log to file!
Questions?