SLL?
BlitzMax Forums/BlitzMax Programming/SLL?
| ||
| Hey guys, Has anyone done any networking code that uses SSL? I am worried about the authentication mechanism I am creating because it requires the user's password to be sent (as a hash, but still) through a non-SSL socket. This seems like a wonderfully bad idea, so I'd like to run the socket on SSL possibly. My other idea is to handle authentication using a PHP script and a remote web call from the client, which wouldn't be that hard really. The script would return an authentication token which the client would use when connecting to me server. I'm also planning on giving access to users through telnet/SSH however, so I really should figure out how to do this in BlitzMax... I see that Brucey has used SSL in his libcurlssl module but it doesn't seem to be in a form very useful for this (still digging around in there). If I need to write some C code I'm not opposed to that. Any ideas? |
| ||
| libcurl+ssl can communicate happily over https. It is designed as a file-transfer library supporting many different secure and non-secure protocols. If you want to use "raw" SSL streams, you'll have to dig into the ssl libs, I'm afraid. I've used the crypto part of OpenSSL to create a crypto module, but handling all that ssl stuff manually seemed a bit heavy going, so I never ventured into that side of it. |
| ||
| try this, a mod by Brucey. I never used it, but it seems what you are looking for. edit: too late... |
| ||
| The main issue I had was the documentation : http://www.openssl.org/docs/ssl/ssl.html It's a tad on the sparse side... |
| ||
| It's a tad on the sparse side... Yeah that's exactly what I was thinking when I looked at their website before, after seeing you had used OpenSSL. I just need my connections to be secure so I can probably do my own encryption on the wire, provided that I use something like HTTPS to get a security token for the client to use when encrypting it's messages and decrypting the server's messages. The problem with this is I can't use SSH, etc. to allow people to log in using text-mode. I think I can solve that by running a copy of the text client for each user on the server itself (which I probably want to do anyway), and having them tunnel to it through SSH... maybe... I'm not sure. Either that or I will just create a custom client that uses my own encryption system, but runs in console mode. I guess it'll work. It's non-standard and I really wanted people to just be able to log in using any old SSH that might be installed with their distro / Mac OS, etc.... but maybe that just isn't worth the effort. Heh. After looking at GNet a bit more, I think I will actually use it for the network messages themselves (but not to actually sync objects), so my encryption would be built on top of GNet... shouldn't be too hard, I hope... |
| ||
| Is sending a password all you need SSL for? In that case it would probably be secure enough to double hash a password with unique salt, unless you have especially strict security needs. Something like (pseudo): salt = getRandomSalt() hash = hashFunction(client.password) hash = hashFunction(hash + salt) sendHash() If hash = getHash() Then ok() Else wrong() Edit: Oh, and choose a good hashFunction, of course. :) |
   |