× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2015

Re: Mixed SSL and Non - SSL Sockets

hi Chris,

There are many network protocols out there that start in plaintext mode and "upgrade" to SSL after connecting. Examples are SMTP, POP3, IMAP, and FTP -- some of the most widely used protocols in the world.

The way they work is they connect and start communicating, and then the client or server (depending on who is intended to initiate the upgrade) sends a command like 'STARTTLS' (TLS is the current proper name for the protocol once known as 'SSL', but most of us use the terms interchangably) So for example, the client might send STARTTLS and this would cause the server to respond with "OK" or something, at which point both sides would begin the SSL handshake to upgrade the connection to TLS.

I would recommend using the IBM Global Secure Toolkit (GSkit) for this, it comes with the operating system, so it's already there, but you would need to install the components of SSL in the operating system (such as the Digital Certificate Manager) to use it.

to upgrade a socket to SSL, you'd:

1) Create an SSL/TLS environment at the start of your server program. This is shared by all sockets, so is a one-time setup. This is done with:

-- gsk_environment_open()
-- gsk_attribute_set_buffer w/GSK_OS400_APPLICATION_ID to
associate your session with an 'application id' (profile
with SSL settings in the Digital Cert Manager)
-- gsk_attribute_set_enum() to set GSK_SESSION_TYPE to be a
server session.
-- gsk_attribute_set_enum() GSK_SERVER_AUTH_TYPE to use server
type authentication.
-- any other settings you want to set up for your application
-- gsk_environment_init() to start the environment with your
settings.

2) Bind/Listen/Accept and send/receive as normal. Use non-blocking sockets.

3) When you want to upgrade to SSL/TLS, do gsk_secure_soc_open() to start configuring a secure socket. You don't need this on your listener socket, just the one that's connected to the client.

then, gsk_attribute_set_numeric_value() to set the GSK_FD to your socket descriptor number, this associates your existing socket with the secure socket.

then, gsk_secure_sock_init() to start the SSL/TLS handshake.

4) Once SSL/TLS has been established, don't use send/recv (or read/write) anymore, but use the corresponding gsk_secure_soc_read() and gsk_secure_soc_write() APIs instead. So you'll need to keep track of which sockets are upgraded and which are not, and use an "if" statement to choose the API to call.

5) For select(), this can be a little tricky because the selecT() will be looking at the data on the raw TCP connection rather than the SSL/TLS buffer. So what you should do is always try to read/write using the GSK_secure_soc_read (or write) routine first to make sure you get any data in the buffer. If no data in the buffer, then you can call select() to wait for data to arrive. This is why you need to use non-blocking sockets, so you don't get hung up waiting for data when you call gsk_secure_soc_read/write(). If it's easier, you can do your non-secure sockets the same way (except use send/recv instead of the secure socket routines.)


6) To disconnect, call gsk_secure_soc_close() followed by the normal close() API.

Good luck!




On 6/24/2015 5:52 PM, Chris Bipes wrote:
I have a program that connects to a third party over MPLS as well as listens for local host connections on the loop back IP. This program was written back when the third party only accepted one connection and we have multiple server jobs that need to send data to them in real time. The connect / write / read / disconnect was too much overhead back on the old systems we wrote it for. Enough of the history.

New challenge is to upgrade the connection to the third party with SSL, no problem. But still allow the local server program to connect non SSL. (Can it be done?)

Ok the program creates the listening port and adds it to the bit array. Then connects to the third party and adds that to the bit array for the Select() api.

I use a select() to wait on all the active connections for request to come in or new connections on the listening port.

Request from the local host are formatted and forwarded to the third party. If from the third party, the response is formatted and sent back to the requestor. This program has been working flawlessly for years.

Now I need to make just one of the connections SSL. Will the SSL socket still trigger the same select as the non-SSL sockets? If so, I can perform the SSL read as opposed to the regular read.

I basically need someone to confirm that both non SSL connections and SSL connections will trigger the same Select() API.

Still working on adding the SSL code to the program and want to know if I need to make the local host connections SSL for all to work.

Chris Bipes
Director of Information Services
CrossCheck, Inc.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.