Overview
Features
Download
Documentation
Community
Add-Ons & Services

Switch tcp to ssl connection

Please post support and help requests here.

Switch tcp to ssl connection

Postby prehley » 01 Feb 2012, 22:57

Hello,

I have a legacy client app that I need to support, and I'm creating a server to handle the communication. I need the server to create a SSL connection over the connection the client connected to. The client initially connects over a TCP connection, but then switches to SSL at some point during the conversation.

I saw a previous thread which seems to be similar

http://pocoproject.org/forum/viewtopic.php?f=12&t=4912&p=7736&hilit=ssl#p7736

And I get the error message " error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol". That is the same error message in the previous thread. I've created my own SSL Context object (Poco::Net::Context) and have passed it to attach().

The following code is the part I'm having a problem with.
Code: Select all
       
  Context::Ptr _pCon;
  try {
      _pCon = new Context(
      Context::SERVER_USE,
      privateKeyFile,
      certificateFile,
      caConfig,      // caLocation
      Context::VERIFY_NONE, // verMode
      1, // verDepth
      false, // loadDefCA
      "AES256-SHA,AES128-SHA" // cipherList
      );
  }
  catch (Exception &ex) {
      error( ex.displayText() );
      throw;
  }

  try {
      // This is where the SSL Exception gets thrown.
      SecureStreamSocket sss(SecureStreamSocket::attach(socket(), _pCon));
      socket() = sss;
  }
  catch (Exception ex) {
        error(ex.displayText() );
  }

Is there anything there that looks incorrect? Is there anything that I'm missing?

I'm using poco poco-1.4.1p1-all. Any suggestions would be helpful.
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby guenter » 01 Feb 2012, 23:36

This approach will only work for clients, as SecureStreamSocket::attach() will perform a SSL connect. However, on the server side, it should perform an SSL accept instead. This can be done by patching SecureStreamSocket::attach() as follows:

Code: Select all
SecureStreamSocket SecureStreamSocket::attach(const StreamSocket& streamSocket, Context::Ptr pContext)
{
   SecureStreamSocketImpl* pImpl = new SecureStreamSocketImpl(static_cast<StreamSocketImpl*>(streamSocket.impl()), pContext);
   SecureStreamSocket result(pImpl);
   if (pImpl->context()->isForServerUse())
      pImpl->acceptSSL();
   else
      pImpl->connectSSL();
   return result;
}


The trick is to check whether the context is for server or client use. If it's for server use, perform a SSL accept, otherwise a SSL connect.
I haven't tested this but it should work. Let me know if it does and I will add it to the next release.
Note: isForServerUse() is available in 1.4.3.
guenter
 
Posts: 1137
Joined: 11 Jul 2006, 16:27
Location: Austria

Re: Switch tcp to ssl connection

Postby prehley » 02 Feb 2012, 20:36

Hello,

The error message changed but it didn't seem to get any further. The message I'm getting now is:

error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I tried forcing the function to do both a accept and a connect, but the error message was the same for both of those.
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby guenter » 02 Feb 2012, 20:41

This tells you that the server was accepting a connection from the client, but could not negotiate a common cipher suite. According to your Context setup, your server only supports AES256-SHA,AES128-SHA. Apparently, the client does not support these two, so client and server could not find a common cipher suite.
guenter
 
Posts: 1137
Joined: 11 Jul 2006, 16:27
Location: Austria

Re: Switch tcp to ssl connection

Postby prehley » 02 Feb 2012, 21:06

ok, let me play with that setting then.

Thanks,
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby prehley » 02 Feb 2012, 23:54

Tracked down the ciphers that the client wants (TSL_RSA_WITH_AES_256_CBC_SHA and TSL_RSA_WITH_AES_128_CBC_SHA ), but even when I use "ALL" for ciphers I get the problem.

How do I know which ciphers poco supports?

Thanks
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby prehley » 03 Feb 2012, 20:58

ahh, the documentation says poco support for ssl ciphers are whatever the underlying openssl support. I'll dig into that some more. From what I can tell though it looks like the version of ssl we are using should support the ciphers that are being requested.

Thanks,
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby prehley » 09 Feb 2012, 05:38

Ok, I got past the "no shared cipher" issue. When I did the call to Context the value for certificateFile was an empty string because the certificate is stored in the same file as the private key. The documentation for Context says "certificateFile contains the path to the certificate file (in PEM format). If the private key and the certificate are stored in the same file, this can be empty if privateKeyFile is given"

However that is what was causing the problem. When I set the certificateFile to the same value as the privateKeyFile, the handshake completed and the code proceeded further. I still have a problem but I need to look at the data and see what's dieing now.
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby prehley » 09 Feb 2012, 06:25

Hello,

Yes, I thought this could get strange. After the handshake is complete and user login is exchanged, the client switches back to non-ssl traffic. I tried saving the socket stream prior to becoming an ssl socket, but when I tried using that saved socket after the ssl data is complete I get an "Invalid socket" message.

How do I switch the ssl socket to a tcp connection?

Thanks,
prehley
 
Posts: 10
Joined: 01 Feb 2012, 22:21

Re: Switch tcp to ssl connection

Postby guenter » 10 Feb 2012, 14:57

If you're using a SocketStream, then you cannot continue using it after switching to TLS. You'll need to create a new SocketStream using the SecureSocketStream you've created.
guenter
 
Posts: 1137
Joined: 11 Jul 2006, 16:27
Location: Austria

Next

Return to Support

Who is online

Users browsing this forum: No registered users and 1 guest