RE: Using OpenSSL over a high level peer-to-peer middleware
The security work in SNMPv3 is old and outdated and years behind current practice. Some of that is understandable, but but even back then we knew enough to know that raw UDP is almost architecturally flawed. Not quite on the list topic - but if you were aware of the constraints placed on SNMP protocol and its security model, you probably wouldn't be so rash in judgement. P.S. I'm sure Marshall Rose would love to hear your arguments against UDP. :-) And so would DTLS crowd. :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL over a high level peer-to-peer middleware
Alain, One of the nice things about the openssl implementation is the use of BIO's for communication, protocol becomes totally irrelevant, if you could write a bio to control white (or grey or black) mice to carry your data you could implement secure communications across any road/way/path the mice could trave(mmm cats and timeouts would maybe a trouble). Johan --- Alain Damiral [EMAIL PROTECTED] wrote: Greetings to everyone, This is my first mail to this list so first of all I hope to avoid making too much of a fool of myself. I am a student in computer science and I have been charged with the task of implementing a secure communication mechanism for a high level peer-to-peer middleware designed for use in the Oz language (www.mosart-oz.org). This peer-to-peer network is a structured network in which there should not necessarily be a direct TCP connexion between two communicating peers. So far it seems like a fine idea to use SSL over this network rather than directly over TCP as is usually done. Before damaging my health too much on this work I'd appreciate some advice from fine people such as many of you certainly are about the following questions: How feasible is it to use OpenSSL's SSL library to generate the raw data that is to be sent through the transport layer independent of the latter's implementation ? And read this data on the other end... Would it be a better idea to use OpenSSL's crypto library to handle cryptographic operations and certificates and reimplement the rest of SSL's behaviour according to it's specification ? (At least to the extent required for my piece of work) Is there any known similar project, in which OpenSSL has been used to implement SSL over non-TCP connexions ? Well that's it for now and I thank you all for your time, Alain Damiral, Université Catholique de Louvain - student, alain.damiral'at'student.uclouvian.be __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Using OpenSSL over a high level peer-to-peer middleware
You might also want to look at the security in SNMPv3. Means what? The security work in SNMPv3 is old and outdated and years behind current practice. Some of that is understandable, but but even back then we knew enough to know that raw UDP is almost architecturally flawed. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com This address will be going away; please use [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL over a high level peer-to-peer middleware
How feasible is it to use OpenSSL's SSL library to generate the raw data that is to be sent through the transport layer independent of the latter's implementation ? And read this data on the other end... openSSL library uses the BIO abstraction for IO operations. You could use a memory BIO and manipulate that buffer any way you want. Is there any known similar project, in which OpenSSL has been used to implement SSL over non-TCP connexions ? openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP. I am not aware of anyone using it, though. The EAP-TLS protocol that has been around for a while uses TLS over PPP (v.s. TCP). Be careful when you create you own protocol because TLS assumes reliable transport, breaking this assumption presents serious security implications. Alain Damiral [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/19/2005 08:32 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Using OpenSSL over a high level peer-to-peer middleware Greetings to everyone, This is my first mail to this list so first of all I hope to avoid making too much of a fool of myself. I am a student in computer science and I have been charged with the task of implementing a secure communication mechanism for a high level peer-to-peer middleware designed for use in the Oz language (www.mosart-oz.org). This peer-to-peer network is a structured network in which there should not necessarily be a direct TCP connexion between two communicating peers. So far it seems like a fine idea to use SSL over this network rather than directly over TCP as is usually done. Before damaging my health too much on this work I'd appreciate some advice from fine people such as many of you certainly are about the following questions: How feasible is it to use OpenSSL's SSL library to generate the raw data that is to be sent through the transport layer independent of the latter's implementation ? And read this data on the other end... Would it be a better idea to use OpenSSL's crypto library to handle cryptographic operations and certificates and reimplement the rest of SSL's behaviour according to it's specification ? (At least to the extent required for my piece of work) Is there any known similar project, in which OpenSSL has been used to implement SSL over non-TCP connexions ? Well that's it for now and I thank you all for your time, Alain Damiral, Université Catholique de Louvain - student, alain.damiral'at'student.uclouvian.be __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL over a high level peer-to-peer middleware
openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP. Another point for the original poster to keep in mind is that SSL/TLS can require multiple read/writes for a single application-level packet exchange. This isn't always obvious to folks starting out. I think the DTLS spec discusses some of the implications. You might also want to look at the security in SNMPv3. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL over a high level peer-to-peer middleware
Rich Salz wrote: openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP. Another point for the original poster to keep in mind is that SSL/TLS can require multiple read/writes for a single application-level packet exchange. This isn't always obvious to folks starting out. I think the DTLS spec discusses some of the implications. You might also want to look at the security in SNMPv3. /r$ Thank you for all the replies. I'll grab the opportunity here to point out that I am aware of SSL requiring more message exchanges than should be perceived at the application level. Allow me to try to be more accurate about what I'm looking for. What I would like to do is to use OpenSSL's normal functionality, but without encapsulation of the actual operation of sending messages. Instead I would like all messages forged by OpenSSL - including handshake messages - to be sent back up to my module (which would be implemented in the Oz language I mentionned in my original post). Then the data would be sent accross the high level structured peer-to-peer network in a reliable way, and the reverse operation run on the other end. If I understand what Ning Ke suggests, OpenSSL uses a BIO output to send all those messages regardless of what that BIO is actually encapsulating ? (That would normally be the TCP connexion) If it is so, I believe I have the answer to my questions. Thanks again to all those whose time I have stolen -- Alain Damiral, Université Catholique de Louvain - student alain.damiral'at'student.info.ucl.ac.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL over a high level peer-to-peer middleware
On Wednesday 19 October 2005 08:37, Alain Damiral wrote: If I understand what Ning Ke suggests, OpenSSL uses a BIO output to send all those messages regardless of what that BIO is actually encapsulating ? (That would normally be the TCP connexion) If it is so, I believe I have the answer to my questions. Right, you use a memory BIO. The openssl-based plugin for QCA works this way, so you might have a look: http://delta.affinix.com/qca/ QCA presents SSL/TLS as a filter interface to the application. One neat thing this has allowed our application to do is run a single TLS session over a series of non-persistant HTTP connections. Hopefully you find this encouraging. :) -Justin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Using OpenSSL over a high level peer-to-peer middleware
openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP. Another point for the original poster to keep in mind is that SSL/TLS can require multiple read/writes for a single application-level packet exchange. SA establishment cost... This isn't always obvious to folks starting out. I think the DTLS spec discusses some of the implications. You might also want to look at the security in SNMPv3. Means what? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL over a high level peer-to-peer middleware
Justin Karneges wrote: On Wednesday 19 October 2005 08:37, Alain Damiral wrote: If I understand what Ning Ke suggests, OpenSSL uses a BIO output to send all those messages regardless of what that BIO is actually encapsulating ? (That would normally be the TCP connexion) If it is so, I believe I have the answer to my questions. Right, you use a memory BIO. My experience is that implementing an own BIO is not that hard. If you understand C, bang your head against the existing BIO implementations (especially bss_sock.c) and look for ideas that fall out of it... This way you can drop an additional layer of complexity: Instead of: Your code = SSL_BIO = memory_BIO = your code you get Your code = SSL_BIO = your BIO Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many smime.p7s Description: S/MIME Cryptographic Signature
RE: Using OpenSSL over a high level peer-to-peer middleware
What I would like to do is to use OpenSSL's normal functionality, but without encapsulation of the actual operation of sending messages. Instead I would like all messages forged by OpenSSL - including handshake messages - to be sent back up to my module (which would be implemented in the Oz language I mentionned in my original post). Then the data would be sent accross the high level structured peer-to-peer network in a reliable way, and the reverse operation run on the other end. I recommend using BIO paris for this purpose. There's example code in ssltest.c. Basically, your code then does 4 things: 1) When you have unencrypted data to send, you hand it the OpenSSL. 2) When OpenSSL has encrypted data to send, you grab it from OpenSSL. 3) When you receive encrypted data from the other side, you hand it to OpenSSL. 4) When OpenSSL has decrypted data to give, you grab it from OpenSSL. The trick is to understand that these operations will not always appear logically related. For example, you may hand some unencrypted data to OpenSSL and it will not have any encrypted data ready for you to send yet. Or you may receive some encrypted data, hand it the OpenSSL, and then find there is no unencrypted data for you. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]