By: Brian E. Lavender
Date: June 16, 2008
This presentation is primarily based upon my current research into implementing SSL/TLS for the OSSIM project for
Google Summer of Code. I am not an expert in SSL/TLS, but I am doing this presentation to help solidify my understanding. Please make note if you see errors or holes. It contains a series of useful examples at its website.
Network Security with OpenSSL
John Viega, Mass Messier, Pravir Chandra
OpenSSL is encryption over a TCP socket. It is crytography and PKI laid on top of a TCP socket connection. Version 3 for SSL is current version for SSL. There is an older version 2 for SSL, but it is not recommended. TLS is Transport Layer Security which was developed as the result of standardization of SSL. Both SSL and TLS is supported by OpenSSL. It provides the communication layer and the encryption and authentication on top of the communication layer. Authentication is performed using PKI.
What is PKI.
- Certificate is a signed public key.
- Private key to go along with it.
- RSA key can be used for signing and encryption
- DSA key can only used for signing
Create self signed key for Certificate authority. Certificate for certificate authority is widely distributed
Create Certificate Signing Request (CSR).
Certificate authority verifies signs CSR and returns
What SSL doesn't do.
Non repudation. Say Alice receives a message from Bob. After she receives the message she wants to show it to Charlie. It is possible that Bob can deny that he sent the message. With the PKI infrastructure it is easy to implement the nonrepudiation because both Bob and Alice have established certificates. Bob can sign the message before he encrypts using the SSL.
Different types of encryption
Block and stream ciphers for symetric encryption. Some are covered by patent or the names have trademark protection.
RC2, RC4, and RC5 are trademarks of RSA.
XOR, RC4 (tm)
AES, IDEA, Triple DES, DESX, DES, CAST5, Blowfish, RC2 (tm), RC5 (tm)
Method of doing private key exchange over an insecure channel using an ephemeral key ( a publicly avaialable key). Vulnerable to Man in the middle attack.
It is useful to understand socket programming without any of the SSL library,.
According to Bruce Molay in "Understanding Unix/Linux Programming"
1. Ask kernel for a socket
2. Bind address to socket. Address is host, port
3. Allow incoming calls on socket
4. Wait for accept a call.
int sock_id, sock_fd;
struct sockaddr_in saddr;
// Create a socket
sock_id = socket( PF_INET, SOCK_STREAM, 0 );
// Bind it to an address
bzero( (void *)&saddr, sizeof(saddr) );
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(4444);
saddr.sin_family = AF_INET;
bind(sock_id, (struct sockaddr *)&saddr, sizeof(saddr))
// Set it to listen with a queue of 1.
// Accept the connection. Create a file pointer and read from it.
sock_fd = accept( sock_id, NULL, NULL );
sock_fpi = fdopen( sock_fd, "r" )
fgets( dirname, BUFSIZ - 5, sock_fpi)
Basic Socket programming using the OpenSSL API. OpenSSL uses a thing called BIOs, which is an abstraction
for handling input and output. BIOs can be chained together like a series of pipes. For example, data can be base64-encoded as it is written to a file. A BIO used for reading is known as a source BIO and one used for writing is a sink BIO. Only one source/sink BIO can exist in a chain.
BIO *abio, *cbio;
/* Create a socket BIO to listen for incoming connections on port 4444 */
abio = BIO_new_accept("4444");
// Place the socket into listening mode
// Wait for an incoming connection
// Get the bio for reading and writing
cbio = BIO_pop(abio);
// read up to 45 bytes into buf
nread = BIO_read(cbio, buf, 45);
Now to add SSL connection. This does not include any authentication.
// The cert file. It contains the certificate and the key.
#define CERTFILE "server.pem"
// SSL Context
BIO *acc, *client; // BIO for listen and then connection
SSL *ssl; // SSL object
// Load a certificate chain. But we won't verify here
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
int_error("Error loading certificate from file");
// Load the private key
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
int_error("Error loading private key from file");
// set up a BIO for listening
acc = BIO_new_accept(PORT);
// wait for a connection
// Get the connection
client = BIO_pop(acc);
// Tie the SSL object to it for reading a writing. Same BIO used for both.
SSL_set_bio(ssl, client, client);
// Read some data
err = SSL_read(ssl, buf , sizeof(buf) );
// Print it out.
fprintf(stdout, "%s", buf);