0% found this document useful (0 votes)
29 views35 pages

r06 SSL

The document discusses daemon processes and SSL server implementation. It explains how to setup OpenSSL and get certificates to enable SSL on a server. It provides details on initializing OpenSSL contexts and libraries, wrapping existing sockets in SSL, and reading and writing encrypted data to SSL sockets. It also describes how to detach a process from the terminal and run it as a daemon in the background.

Uploaded by

teweldetekeste
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
29 views35 pages

r06 SSL

The document discusses daemon processes and SSL server implementation. It explains how to setup OpenSSL and get certificates to enable SSL on a server. It provides details on initializing OpenSSL contexts and libraries, wrapping existing sockets in SSL, and reading and writing encrypted data to SSL sockets. It also describes how to detach a process from the terminal and run it as a daemon in the background.

Uploaded by

teweldetekeste
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Angels (OpenSSL) and D(a)emons

Athula Balachandran
Wolfgang Richter
PJ1 Final Submission
● SSL server-side implementation
● CGI
● Daemonize
SSL – Stuff you already know!
● Standard behind secure communication on the
Internet.
● Data encrypted before it leaves your computer
and decrypted only at the computer.
● Hope is it is impossible to crack and eavesdrop!
● Can be used with HTTP, POP3, Telnet etc.
OpenSSL
● Can do a lot more than SSL
● Message digests
● Encryption and decryption of files
● Digital certificates
● Digital signatures
● Random number generation
Setup domain name
● Create a DNS hostname for yourself with a free
account at DynDNS (or already have a domain
name...)
● Don't buy anything, they offer free subdomains
and scripts/programs to
auto-update the DNS mapping for you.
Set up CA and get certificate
● Add the 15-441 Carnegie Mellon University
Root CA to your browser (import certificate,
usually somewhere in preferences)
● Obtain your own private key and public
certificate from the 15-441 CMU CA.
Implementation

● Use the OpenSSL library, here is a link to their documentation.


● Create a second server socket in addition to the first one, use the passed in SSL
port from the commandline arguments.
● Add this socket to the select() loop just like your normal HTTP server socket.
● Whenever you accept connections, wrap them with the SSL wrapping functions.
● Use the special read() and write() SSL functions to read and write to these
special connected clients
● In the select() loop, you need to know if a socket you are dealing with is SSL
wrapped or not
● Use appropriate IO depending on the 'type' of socket---although use select() for
all fd's
● Use your private key and certificate file that you obtained earlier.
Open SSL headers
/* OpenSSL headers */
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
Global Initilization
● SSL_library_init()
● registers the available SSL/TLS ciphers and
digests.
● SSL_load_error_strings()
● Provide readable error messages.
SSL_METHOD
● To describe protocol versions
● SSLv1, SSLv2 and TLSv1

SSL_METHOD* meth = TLSv1_method();


SSL_CTX
● Context object
● Store context information (keying material)
● Reused for all connections

SSL_CTX* ctx = SSL_CTX_new(meth);


SSL_CTX_use_certificate_file()
● Loads the first certificate stored in file into ctx.
● The formatting type of the certificate must be
specified from the known types
● SSL_FILETYPE_PEM
● SSL_FILETYPE_ASN1.
● Our CA generates files of PEM format

int SSL_CTX_use_certificate_file(SSL_CTX *ctx,


const char *file, int type);
SSL_CTX_use_PrivateKey_file()
● Adds the first private key found in file to ctx.
● The formatting type of the certificate must be
specified from the known types:
● SSL_FILETYPE_PEM
● SSL_FILETYPE_ASN1.
● Our CA generates files of PEM format

int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const


char *file, int type);
Initialization Steps
● Global System Initialize
● SSL_library_init()
● SSL_load_error_strings()
● Initialize SSL_METHOD and SSL_CTX
● meth=SSLv23_method();

ctx=SSL_CTX_new(meth);
● Loading keys
● SSL_CTX_use_certificate_file(...)
● SSL_CTX_use_PrivateKey_file(...)
SSL_new()
● Creates a new SSL structure
● Inherits the settings of the underlying context.
SSL* ssl = SSL_new(ctx);
SSL_set_fd()
● Connect the SSL object with a file descriptor

int SSL_set_fd(SSL *ssl, int fd);


SSL_accept
● SSL_accept - wait for a TLS/SSL client to
initiate a TLS/SSL handshake

int SSL_accept(SSL *ssl)


SSL_read and SSL_write
● SSL_read to read bytes from a TLS/SSL connection
int SSL_read(SSL *ssl, void *buf, int num);
● SSL_write to write bytes to a TLS/SSL connection
int SSL_write(SSL *ssl, const void *buf, int num);
● NOTE:
● The data are received in records (with a maximum record size of
16kB for SSLv3/TLSv1).
● Only when a record has been completely received, it can be
processed (decryption and check of integrity)
SSL_shutdown
● Shuts down an active TLS/SSL connection.
● Sends the ``close notify'' shutdown alert to the
peer.

int SSL_shutdown(SSL *ssl);


SSL Wrapping, send and recv data
● Create new SSL structure using SSL_new()
● Connect it to the socket using SSL_set_fd()
● Perform handshake using SSL_accept()
● Read and write using SSL_read() and
SSL_write()
● Perform shutdown at the end, also need to clear
state and close underlying I/O socket etc.
● As always, check for return value and handle
errors appropriately!
BIO - Optional
● I/O abstraction provided by OpenSSL
● Hides the underlying I/O and can set up
connection with any I/O (socket, buffer, ssl etc)
● BIOs can be stacked on top of each other using
push and pop!
● NOTE: You don't have to necessarily use BIO
for this project! The next few slides describe
creating BIO and working with it.
BIO_new()

● Returns a new BIO using method type.


● Check BIO_s_socket(), BIO_f_buffer(), BIO_f_ssl()
● Check BIO_new_socket()

BIO * BIO_new(BIO_s_socket());
BIO_set_fd(sbio, sock, BIO_NOCLOSE);
SSL_set_bio()
● Connects the BIOs rbio and wbio for the read
and write operations of the TLS/SSL
(encrypted) side of ssl

void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio)


Example of Stacking BIOs

buf_io = BIO_new(BIO_f_buffer());
/* create a buffer BIO */
ssl_bio = BIO_new(BIO_f_ssl());
/* create an ssl BIO */
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
/* assign the ssl BIO to SSL */

BIO_push(buf_io, ssl_bio);
BIO_read() and BIO_write()
● Attempts to read len bytes from BIO b and
places the data in buf.
int BIO_read(BIO *b, void *buf, int len);
● Attempts to write len bytes from buf to BIO b.
int BIO_write(BIO *b, const void *buf, int len);
Foreground Processes
and
Background processes (daemons)
How to daemonize?
Orphaning
● Fork the process to create a copy (child)
● Let parent exit!
● The child will become child of init process
– Start operating in the background
int i, lfp, pid = fork();
if (pid < 0) exit(EXIT_FAILURE); /* fork error */
if (pid > 0) exit(EXIT_SUCCESS); /* parent exits */
/* child (daemon) continues */
How to daemonize?
Process Independency
● Process inherits parent's controlling tty
● Server should not receive signals
● Detach from its controlling tty
● Operate independently from other processes

setsid() /*obtain a new process group*/


How to daemonize?
Inherited Descriptors and Std I/0 Descriptors
● Close all open descriptors inherited
● Standard I/O descriptors (stdin 0, stdout 1, stderr 2)
● Open and connect to /dev/null

for (i = getdtablesize(); i >= 0; --i) close(i);


/* close all descriptors*/
i = open(“/dev/null”,O_RDWR); /*open stdin */
dup(i)
dup(i)
How to daemonize?
File Creation Mask
● Servers run as super-user
● Need to protect the files they create
● Filecreation mode is 750 (complement of 027)

umask(027);
How to daemonize?
Running directory
● Server should run in a known directory

chdir(“/servers/”)
How to daemonize?
Mutual Exclusion
● We want only one copy of the server (file locking)
● Record pid of the running instance!
● 'cat lisod.lock' instead of 'ps -ef | grep lisod'
lfp = open(lock_file, O_RDWR|O_CREAT|O_EXCL, 0640);
if (lfp < 0)
exit(EXIT_FAILURE); /* can not open */
if (lockf(lfp, F_TLOCK, 0) < 0)
exit(EXIT_SUCCESS); /* can not lock */
/* only first instance continues */
sprintf(str, "%d\n", getpid());
write(lfp, str, strlen(str)); /*record pid to lockfile */
How to daemonize?
Catching signals
● Process may receive signal from a user or a
process
● Catch those signals and behave accordingly.
● Signal_Handler function in the sample code
How to daemonize?
● Logging
● Assignment – you need to log to file!
Questions?

You might also like