Experimenting with SSL connections

Question

I have written a simple SSL Client/Server set of programs from a few tutorials I have found on the net - and these work fine. What I cant get my head around is the client side of things (See below)

It looks as if from the code the client connects to the SSL server, blindly accepts the certificate it provides then then uses it to encrypt/decrypt the data sent to and from the pair.

Should there not be something client side that validates the servers certificate for use? I mean I can change / swap the server side certificate with any new one and have it connect without so much as a wimper? How is this a secure method of connection? (or am I - as I suspect - missing something )

Many thanks

FR

void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile);
int OpenConnection(const char *hostname, int port);
void ShowCerts(SSL* ssl);
SSL_CTX* InitCTX(void);


int main(int count, char *strings[]) {


    char *hostname, *portnum;
    char buf[1024];
    SSL_CTX *ctx;
    SSL *ssl;
    int server;
    int bytes;


    if ( count != 3 ) {


        printf("usage: %s <hostname> <portnum>\n", strings[0]);
        exit(0);


    } // if


    hostname=strings[1];
    portnum=strings[2];


    printf("\nSSL Client 0.1\n~~~~~~~~~~~~~~~\n\n");


    // Init. the SSL lib
    SSL_library_init();
    ctx = InitCTX();


    printf("Client SSL lib init complete\n");


    // Open the connection as normal
    server = OpenConnection(hostname, atoi(portnum));


    // Create new SSL connection state
    ssl = SSL_new(ctx);


    // Attach the socket descriptor
    SSL_set_fd(ssl, server);


    // Perform the connection
    if ( SSL_connect(ssl) != FAIL ) {


        char *msg = "Here is some data";


        printf("Connected with %s encryption\n", SSL_get_cipher(ssl));

        // Print any certs
        ShowCerts(ssl);


        // Encrypt & send message */
        SSL_write(ssl, msg, strlen(msg));


        // Get reply & decrypt
        bytes = SSL_read(ssl, buf, sizeof(buf));


        buf[bytes] = 0;
        printf("Received: '%s'\n\n", buf);


        // Release connection state
        SSL_free(ssl);


    } // if


    else ERR_print_errors_fp(stderr);


    // Close socket
    close(server);


    // Release context
    SSL_CTX_free(ctx);
    return 0;


} // main


SSL_CTX* InitCTX(void) {


    SSL_METHOD const *method;
    SSL_CTX *ctx;


    // Load cryptos, et.al.
    OpenSSL_add_all_algorithms();


    // Bring in and register error messages
    SSL_load_error_strings();


    // Create new client-method instance
    method = SSLv3_client_method();


    // Create new context
    ctx = SSL_CTX_new(method);


    if ( ctx == NULL ) {


        ERR_print_errors_fp(stderr);
        abort();


    } // if


    return ctx;


} //InitCTX


int OpenConnection(const char *hostname, int port) {


    int sd;
    struct hostent *host;
    struct sockaddr_in addr;


    if ( (host = gethostbyname(hostname)) == NULL ) {


        perror(hostname);
        abort();


    } // if


    sd = socket(PF_INET, SOCK_STREAM, 0);
    bzero(&addr, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = *(long*)(host->h_addr);


    if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 ) {


        close(sd);
        perror(hostname);
        abort();


    } // if


    return sd;


} // OpenConnection


void ShowCerts(SSL* ssl) {


    X509 *cert;
    char *line;


    cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */


    if ( cert != NULL ) {


        printf("\nServer certificate:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);


        // Free the malloc'ed string
        free(line);
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);


        // Free the malloc'ed string
        free(line);


        // Free the malloc'ed certificate copy
        X509_free(cert);


    } // if


    else printf("No certificates.\n");


} // ShowCerts

Answer 1

You are correct. The connection is secure (from eavesdropping), has integrity (protection against injection, truncation, and modification), and authentication (peer is who he says he is in his certificate), all done automatically for you by the transport, but it still lacks authorization (is this the person I wanted to talk to, and what exactly is this person allowed to do in my application). Only the application can do that, inherently, so it is up to you to get the peer certificate, get its SubjectDN, relate that to some local user database, check for existence, check its roles, etc.

Answer 2

A "Secure Connection" can be seen as consisting of two things:

1 Authentication: Be sure to be connected to the partner (here: server) one expects to connect to

2 Encryption: Have the data (transferred by the connection) be protected against being read during transmission

The certificate received from the server can be used to accomplish 1. The certificate is not necessarily involved in 2.

On how to add verification of a server's certificate to your client, you might like to check out this SO answer: https://stackoverflow.com/a/12245023/694576 (which you could have done in the first place anyway ... ;->)

For details on TLS (successor to SSL and former SSL 3.x) please see here: http://en.wikipedia.org/wiki/Transport_Layer_Security