Open SSL Secure Socket - ddpalacios/home-server GitHub Wiki
Converting Socket to an SSL Socket
Description:
SSL (Secure Socket Layer) is an encrypted-based internet security protocol.
A website that implements SSL/TLS has HTTPS in its URL instead of HTTP
-
In order to provide a high degree of privavy, SSL encryptes data that is transmitted across the web.
- any one who tries to intercept this data will only see a mix of characters that is nearly impossible to decrypt.
-
SSL initiates an authentication process called a 'Handshake' between two communicating devices to ensure that both devices are really who they claim to be
-
SSL also digitally signs data in order to provide data integrity, verifying that the data is not tampered with before reaching its intended recipient.
Notes:
https://www.cloudflare.com/learning/ssl/what-is-ssl/
SSL can only be implemented by websites that have an SSL certificate (technically a "TLS certificate"). An SSL certificate is like an ID card or a badge that proves someone is who they say they are. SSL certificates are stored and displayed on the Web by a website's or application's server.
One of the most important pieces of information in an SSL certificate is the website's public key. The public key makes encryption and authentication possible. A user's device views the public key and uses it to establish secure encryption keys with the web server. Meanwhile the web server also has a private key that is kept secret; the private key decrypts data encrypted with the public key.
sources:
SSL socket https://docs.openssl.org/master/man7/ossl-guide-libcrypto-introduction/ https://www.cloudflare.com/learning/ssl/what-is-ssl/
Tasks:
- Generate trusted SSL certification (prod & dev)
- For Development: Generate Self-Signed Certification
- https://tecadmin.net/step-by-step-guide-to-creating-self-signed-ssl-certificates/
- For Production: Create SSL certificate issued by a trusted CA (Stretch goal)
Creating a certificate for development purposes consisted of creating a CSR (certificate signing request) and a private key which then allowed to create a self signed cert.
This certification was used to establish a SSL handshake connection between the server and the client.
- Replace recv() and send() with SSL functions
This was replaced with SSL_write() & SSL_read()
- Test POLLING functionality with secured SSL sockets
Linux commamd to test SSL conections:
- openssl s_client -connect localhost:9034
This feature requires to keep an array of SSL pointers that gives the ability to perform encrypted read and write operations
Struct Client{ int Id; // fd declaration as INT SSL* cSSL // pointer to SSL structure } [c1,c2,c3....ci] - Required for read and write operations
poll(...) [p1,p2,p3....pi] Requires a pointer of arrays to raw FDs.
When adding new clients:
- add new fd to polling struct
- encrypt Fd and add to client struct array
When removing clients:
- obtain FD #
- remove from Poll struct array
- remove from Client struct array