Hello,
> Thank you very much this works fine but how do I get the information if
> diffie hellman (DH) is used to negotiate the key?
>
> I wanted to compare the differnce in cpu consumption and time delay if
> session reuse is used or not! (Keyexchange with Diffie Hellman)
> Therefore I set:
>
> SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_OFF );
>
> If I connect to the server there is a delay fore about 20 seconds but the
> server doesn't consume any cpu in this time, just the client... Shouldn't
> the server waste some CPU while computing his key?
>
> Do you the approximate delay if session reuse is not used?
> Furthermore, it would be great to display the DH secret length somehow?
I've attached modified test client which tries to
display some peer DH parameters ...
.... I'm sure that this may be done easer :-)
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
#include <stdio.h>
#include <openssl/ssl.h>
#define SSL_PKEY_NUM 6
typedef struct cert_pkey_st
{
X509 *x509;
EVP_PKEY *privatekey;
} CERT_PKEY;
typedef struct sess_cert_st
{
STACK_OF(X509) * cert_chain; /* as received from peer (not for SSL2) */
/* The 'peer_...' members are used only by clients. */
int peer_cert_type;
CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
/* Obviously we don't have the private keys of these,
* so maybe we shouldn't even use the CERT_PKEY type here. */
#ifndef OPENSSL_NO_RSA
RSA *peer_rsa_tmp; /* not used for SSL 2 */
#endif
#ifndef OPENSSL_NO_DH
DH *peer_dh_tmp; /* not used for SSL 2 */
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *peer_ecdh_tmp;
#endif
int references; /* actually always 1 at the moment */
} SESS_CERT;
#define CA_FILE "./cacert.pem"
#define CERT_FILE "./cert.pem"
#define KEY_FILE "./key.pem"
/**
* TLS connection info callback.
*
* @param ssl TLS connection socket
* @param type connection type
* @param val connection info
* @return none
*/
static void tls_connection_info_cb(const SSL * ssl, int type, int val)
{
if (type & SSL_CB_LOOP) {
printf("tls_state: %s: %s\n",
type & SSL_ST_CONNECT ? "connect" :
type & SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long(ssl));
}
if (type & SSL_CB_ALERT) {
printf("tls_alert: %s:%s: %s\n",
type & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(val), SSL_alert_desc_string_long(val));
}
}
int main()
{
BIO *bio;
SSL *ssl;
SSL_CTX *ctx = NULL;
//char *ciph = "AES256-SHA:AES128-SHA";
char *ciph = "DHE-RSA-AES256-SHA";
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
RAND_load_file("/dev/urandom", 1024);
printf("crypto lib: %s\n", SSLeay_version(SSLEAY_VERSION));
if ((ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
goto err;
}
SSL_CTX_set_verify_depth(ctx, 4);
if (SSL_CTX_load_verify_locations(ctx, CA_FILE, NULL) != 1) {
goto err;
}
if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
goto err;
}
if (SSL_CTX_use_certificate_chain_file(ctx, CERT_FILE) != 1) {
goto err;
}
if (SSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, SSL_FILETYPE_PEM) <= 0) {
goto err;
}
if (!SSL_CTX_check_private_key(ctx)) {
goto err;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
if (SSL_CTX_set_cipher_list(ctx, ciph) != 1) {
goto err;
}
SSL_CTX_set_info_callback(ctx, tls_connection_info_cb);
if ((bio = BIO_new_connect("127.0.0.1:10443")) == NULL) {
goto err;
}
if (BIO_do_connect(bio) <= 0) {
goto err;
}
if ((ssl = SSL_new(ctx)) == NULL) {
goto err;
}
SSL_set_bio(ssl, bio, bio);
if (SSL_connect(ssl) <= 0) {
goto err;
}
printf(" the cipher used by the client : %s\n", SSL_get_cipher(ssl));
struct sess_cert_st *sc = ssl->session->sess_cert;
if (sc->peer_dh_tmp != NULL) {
printf("Peer DH parameters:\n");
if (sc->peer_dh_tmp->p != NULL) {
printf(" p: %d bits\n", BN_num_bits(sc->peer_dh_tmp->p));
printf(" %s\n", BN_bn2hex(sc->peer_dh_tmp->p));
}
if (sc->peer_dh_tmp->g != NULL) {
printf(" g: %d bits\n", BN_num_bits(sc->peer_dh_tmp->g));
printf(" %s\n", BN_bn2hex(sc->peer_dh_tmp->g));
}
if (sc->peer_dh_tmp->pub_key != NULL) {
printf(" pub_key: %d bits\n", BN_num_bits(sc->peer_dh_tmp->pub_key));
printf(" %s\n", BN_bn2hex(sc->peer_dh_tmp->pub_key));
}
}
if (SSL_write(ssl, "test 123\n", 9) <= 0) {
goto err;
}
SSL_shutdown(ssl);
return (0);
err:
if (ctx != NULL) {
SSL_CTX_free(ctx);
}
ERR_print_errors_fp(stderr);
return (1);
}
