1

Normally, in C or C++, to communicate through a SSL/TLS encrypted TCP socket you need to use whatever functions the SSL/TLS provider (OpenSSL, GnuTLS, etc) gives you in order to perform reads & writes, for example: BIO_write, BIO_read, etc.

I have a routine in C which reads and writes from a socket, and I'd like to have the ability to pass it a TLS socket so that it can perform encrypted communication over that connection. However, that would require me to rewrite the function so that it uses the BIO_read, BIO_write etc routines, when I'd like to keep it as it is.

Is there any way that I can create a socket (or convert an existing one) which will have all data written to and read from it automatically encrypted/decrypted (i.e: "transparently"), ideally completely in userspace, so that routines using that socket don't need to worry about how to transmit data though it? Or would I be better off making wrapper routines for those reads/writes that choose which read/write routine to use?

Joe
  • 1,384
  • 1
  • 11
  • 18
  • You can use [ucspi-tcp](https://cr.yp.to/ucspi-tcp.html) or [stunnel](https://www.stunnel.org/index.html), or you can even create a tunnel with `openssl s_server` and `openssl s_server`. You'd then read and write from / to `stdin` and `stdout`. There is no such thing as a library that you could link against, and it would magically upgrade your connections to SSL / TLS with minimal fuss. – Satō Katsura Aug 10 '16 at 10:41
  • @SatoKatsura I assume that'll mean I'll need to have multiple threads then? – Joe Aug 10 '16 at 11:25
  • It depends on what you want to do. Creating tunnels with `ucspi-tcp` / `stunnel` / whatever is useful on the client side, where you'd create a tunnel and spawn a copy of your process for each connection. It doesn't work on the server side, there you'd have to bite the bullet and deal with OpenSSL and friends. – Satō Katsura Aug 10 '16 at 11:32
  • Unfortunately this is server side, so it looks like I'm gonna have to. If you'd post your comment as an answer, I'll accept it. – Joe Aug 10 '16 at 13:00
  • It's more a rambling than an answer. Well, on server side there is a solution, but it's specific to OpenBSD: [relayd(8)](http://man.openbsd.org/OpenBSD-current/man8/relayd.8). With `relayd` you basically add a redirect to your application, then clients connect with SSL / TLS to `relayd`, and `relayd` relays the connection in cleartext to your application. At some point there was some talk about porting `relayd` to Linux, but as far as I know there was no concrete result. Still, `relayd` doesn't need to live on the same machine as your application. So it could work with an OpenBSD firewall. – Satō Katsura Aug 10 '16 at 13:16

2 Answers2

2

One family of toolsets for this is the UCSPI-SSL family. William Baxter's ucspi-ssl package begat Scott Gifford's ucspi-ssl package which begat Erwin Hoffman's ucspi-ssl package. In each, you run your program from sslserver, which handles accepting incoming connections, the SSL handshaking, and the data encryption/decryption, and your program just talks plaintext via its standard input and output like an ordinary tool.

Gerrit Pape's sslsvd, one of the tools in the ipsvd toolset, does a similar job.

Further reading

  • Jonathan de Boyne Pollard (2015). "Softwares". The gen on the UNIX Client-Server Program Interface. Frequently Given Answers.
  • sslserver. UCSPI-SSL. 2015. SuperScript.
  • sslsvd. ipsvd. Gerrit Pape.
  • sslio. ipsvd. Gerrit Pape.
JdeBP
  • 66,967
  • 12
  • 159
  • 343
0

See autossl.so which is an LD_PRELOAD-able shared lib, which upgrades plain text sockets to SSL/TLS without modifying the client application.

Disclaimer: it's written by me.

bandie
  • 363
  • 4
  • 10