AcornSSL server functionality

Hmm…

It should be working OK now. I missed off loading the intermediate certificate.

I missed off loading the intermediate certificate.

Ah, yes. When I said
“Most of those devices allow you to import a certificate, of course then you’re in the ‘is the certificate chain trusted’ realm unless you get one from a trusted ‘certificate authority’”

I missed the “and load all required parts of the certificate chain”

Ain’t life fun?

Wayback up there.

It transfers data much quicker than WebJames

Every bit as fast as the site it mirrors. Nice.

At the moment, I have some home automation stuff accessible via HTTP on RISC OS. For security, it is a special app that doesn’t respond at all unless the request supplied to it is exactly correct. There’s no error response to help the hackers, who keep trying.

Assuming server functionality for AcornSSL comes along, I’d be able to simply transfer this over to HTTPS.

But this makes me wonder: when hackers come along, presumably they can attempt an SSL connection. But could such a connection be successful, and, if so, would it leak any information contained within my private certificate?

This is a naive question, because I really don’t know any detail about how SSL works.

I have been unable to resist playing with adding server functionality. It’s very early days, but I have some promising results. I can read certificates and a private key into appropriate stores (although, at the moment, they’re allocated within the module). I can create a server socket, and I can perform an accept operation on it. That’s as far as it goes – the cert(s) and key are not yet associated with the socket, so there’s no useful transfer of data.

I seem to get zombie sockets left after I’ve done this stuff (they refuse to die), so clearly I’ve either done something wrong or not done something right.

If anyone would like to look at my code and say “Hey, you can’t do that!” I’d like to hear from you.

As for leaking information: that was the wrong question. It’s not a case of a leak, it’s what information (if any) the client can legitimately get from the server certificates as a result of a normal connection.

If anyone has an answer to that, I’d be interested to hear it.

But could such a connection be successful

Generally the aim of a server is to accept connections from any client. So yes, an attacker that connects to a SSL server in a standards-conformant manner will be accepted by that server.

If you want your server to only accept connections from certain clients, servers can be configured so that the client has to present a public key of its own when it connects to the server. The server can then check the received key and reject connections from clients which aren’t recognised. If the key is accepted, the negotiation messages the server sends to the client will be encrypted using that key, ensuring that the negotiation can only succeed if the client holds the corresponding private key (public keys are used for encryption, private keys for decryption). I.e. the client can’t pretend to be trustworthy by presenting a stolen public key. This is common with SSH – instead of using a username & password to authenticate yourself with the remote machine, you use the public part of a private key stored on your machine.

if so, would it leak any information contained within my private certificate?

Private keys contain, or can be used to generate, the corresponding public key. So although you configure your server with a private key, the clients which connect to it only get to see the public part.

“Sloppy” SSL implementations may be vulnerable to timing attacks that attackers can exploit to derive the private key, but since that kind of attack has been known about for some time now I’d assume mbedTLS is immune to them.

Thinking ahead to the extended AcornSSL API, I see that the mbedtls_net_bind() call is a one stop shop for creating a server socket: it creates a socket, binds it and sets it listening. I can’t easily find a call to bind a socket without the other steps being rolled into it. So I suggest that, instead of trying to follow the old-style recipe (create, bind, listen) too closely, we use this call – under whatever name we give the AcornSSL SWI. The only other call we need is to set the socket non-blocking.

I’ve corrected the problem that caused zombie sockets.

Well, I had a successful SSL handshake earlier, with AcornSSL as server.

However, it’s only once. Since then the call to mbedtls_ssl_handshake has eventually returned 0xFFFFFFB4, which is a real problem to me as I can’t find that anywhere in the mbedtls sources. 0xFFFFFFB4 is -0×4C, or -76, and that’s what I’ve been looking for.

If anyone can shed any light on where that comes from, or what causes it, I would very much appreciate the help!

Giving it more memory to work in and fall over somewhere else is too simplistic isn’t it?

Much too simplistic, I’d say.

Since then it’s behaved flawlessly, and I’ve been able to get a minimal web page displayed in Firefox.

I downloaded my current certificate and private key from my web site so that I had valid ones to play with, and added davehigton.me.uk to the Linux box’s hosts file so as to be able to point to the RasPi with a domain name to match the cert.

I have to backpedal slightly on mbedtls_net_bind() being a one stop shop. The bind has to be onto an SSL session that’s configured as server and with the cert(s) and key loaded, so I’ve had to create an SSL handle configured as server and without a socket, to pass that as the client handle to bind. Rather than create another SWI to do it, I’ve altered AcornSSL_Creat so that, if given a type of -1 in R1, it does that. It’s a cheat, but it’s easier than setting one of the flags. I haven’t actually traced through the source code, but I’m assuming that the accept call copies the client socket information from the server socket.

OK, now we have to agree the extended API to AcornSSL.

Since then the call to mbedtls_ssl_handshake has eventually returned 0xFFFFFFB4, which is a real problem to me as I can’t find that anywhere in the mbedtls sources

MBEDTLS_ERR_NET_RECV_FAILED mbedtls.h.net_sockets

Thanks, Colin.

There’s a working (for me!) version of the AcornSSL module with server functionality, and the associated documentation of the extensions to its API, on my web site at https://davehigton.me.uk/Progs/AcornSSLServer.zip

That is to say, it’s there at the moment. At some point I’ll take it down, either because my changes have gone into the official version of the module available from this site, or because no-one has shown any interest in it.

Please, please, anyone who has any interest in it: take it, try it, break it, and above all comment on my proposed extensions to the API.

I hope I haven’t done this just for myself.

I hope I haven’t done this just for myself.

It’s interesting, for sure. The question is, however, how to get WebJames to use it…or something to replace WebJames that can?

If we have access to recent source of WebJames, I’m sure it will be possible to do it. In fact I’m very much hoping that somebody (possibly me!) will do it. I don’t think that my extensions are difficult in principle – sure, there are more steps in setting up a server, as the certs and key are not the ones in InetDbase:CertData. But no step is difficult.

I had a cursory look for WebJames source a couple of days ago, without success.

I’m anticipating using this so I’m pleased you’ve made good progress :-)

Once I’ve had a go I’ll send some more feedback (that will be a while yet, I’ve got to do the non-SSL version first!), but for now here are some ignorant thoughts from someone who’s never used SSL.

• In AcornSSL_Creat we pass R0 = -1, but is it possible you will want to extend that at all later? (i.e. better to use just one bit to indicate server and leave the rest reserved?)
• You describe checking AcornSSL_Accept in a loop. Will there be an Internet event when someone’s trying to connect so the server can respond from the background? (I don’t know how it works with the existing Socket_ SWI’s).

I had a cursory look for WebJames source a couple of days ago, without success.

http://www.cp15.org/webjames/ has a link to the source code for v0.48 (vintage 2007, so may not be the latest).

I also found this GitHub page which seems to include source. I suspect it’s also 0.48 though.

Can’t the api be reduced to the api below?

The certify stuff looks as though it can be done internally – as can the handshake which is done internally by client sockets.

In any case I think AcornSSL_Accept would be better if it returned EAGAIN or EWOULDBLOCK as Accept does now.

I’ve returned the ssl handle from bind – I’m assuming bind creates it.

I’ve added a new swi to get the socket from ssl handles.

SWIs
----
AcornSSL_Creat                                                 SWI &50F80

Initialises a secure session with a new socket.

On entry
   R0 = CreateSession_NewServerAccept  (bit 11 - bit 3 of flags)
   R1 = certificate data, terminated by 0
   R2 = length of certificate data, including terminating 0
   R3 = key data, terminated by 0;
   R4 = length of key data, including terminating 0

On exit
   R0 = ssl handle

Use
   Creates an SSL handle which can be returned by Accept.
   
   
AcornSSL_Bind

Creates a server socket bound to an address and port

On entry
   R0 = IP address string, e.g. "192.168.16.69", control-terminated
   R1 = port address string, e.g. "443", control-terminated
   R2 = protocol, same as in AcornSSL_Creat CreateSession_New

On exit
   R0 = ssl_handle - 0 if failed
   
Use
   Analogous to AcornSSL_Create, but the skcte is bound to an
   IP address and port.


AcornSSL_Accept

Accept an incoming secure connection.

On entry
   R0 = server ssl handle
   R1 = client ssl handle
   R2 = buffer for incoming data
   R3 = size of buffer

On exit
   R0 = 0 for success, EAGAIN or EWOULDBLOCK to call again.


AcornSSL_GetSocket

Get socket used by ssl handle

On entry
    R0 = ssl_handle
    
On exit
    R0 = socket or -1 (invalid socket) if not bound to socket

Do we need accept to specify the buffer for incoming data. If the ssl_handle returned by bind included a buffer for use by accept accept can be reduced to.

AcornSSL_Accept

Accept an incoming secure connection.

On entry
   R0 = server ssl handle
   R1 = client ssl handle

On exit
   R0 = 0 for success, EAGAIN or EWOULDBLOCK to call again.

Can’t the api be reduced to the api below?

Yes, but it looks a bit uncomfortable to me…

AcornSSL_Creat

The input parameters are completely different, in the case of creating an empty server session, from the other use of the same SWI. We aren’t short of SWIs, so I don’t think there’s anything to gain, and there’s a loss of clarity.

AcornSSL_Bind

My bad, of course it returns a handle in R1, I’ll update the docs.

AcornSSL_Accept

The mbedtls_net_accept() call requires a buffer and a length, and return the length used. I have no idea why; I’m simply doing what the call requires. I have no idea what would appear in the buffer, nor what use could be made of it. If you can show that it’s not necessary, or that a buffer could be shared, or…

I’ve seen no indication that the buffer is needed beyond the accept.

AcornSSL_GetSocket

That looks like a useful addition.

I’ve just been updating the AcornSSL module so as to require just one flag bit when creating an empty server session. I thought the next available bit was b10; am I working from out of date source?

AcornSSL_Accept EAGAIN or EWOULDBLOCK

At the moment I only know to translate one mbedTLS return code to Acorn, and that’s MBEDTLS_ERR_SSL_WANT_READ, which I’m translating to EWOULDBLOCK. If anyone knows any other likely return codes that would indicate simply looping round again, I’m happy to translate them too.

It does point up one important thing, though: I simply built in a call within AcornSSL_Bind() to make the server socket non-blocking, and I’ve failed to document that I’ve done so. I could remove the call, I suppose, but I don’t know the consequences to the host OS operation. I guess that means I’ll have to try!

Does anyone actually use blocking sockets? If so, how and why?