On 11/9/2010 4:06 PM, Karthick Ramu wrote:
I know that SSL requires a transport layer for reliability purpose. But
if there is a reliable, pre-provisioned and lossless network is it
possible to transport a SSL packet without any transport layer protocol.
Does OpenSSL support SSL without transport layer. Please help.
You can use BIO pairs. Just read from the SSL BIO, and when you get
data, it's your job to get it to the other end by whatever mechanism you
like. When you get encrypted data from the other end, by whatever
mechanism, just write it to the SSL BIO.
There are two caveats with this approach:
1) You must manually check that the certificate received from the other
end makes sense. Without a hostname from the TCP connection process,
there is no way to automatically know whether the certificate received
is correct or not. If you're trying to reach 'www.amazon.com' and get a
certificate for 'www.evilsite.net', your code must reject the connection.
2) You must not make assumptions about when you should read from and
write to the SSL BIO. Reading plaintext may require sending ciphertext.
Sending plaintext may require receiving ciphertext. Do not think of SSL
as an encryption on send or decryption on receive. Think of it as a
"magic box" that maintains a connection by sending and receiving messages.
Don't think "I just sent some plaintext so SSL will need to send some
ciphertext". Think "I just sent some plaintext, maybe SSL will need to
send some ciphertext, maybe it will need to receive some ciphertext",
just as it might need at any time.
DS
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org