AcornSSL server functionality
Chris Gransden (337) 1207 posts |
It should be working OK now. I missed off loading the intermediate certificate. |
Steve Pampling (1551) 8170 posts |
Ah, yes. When I said I missed the “and load all required parts of the certificate chain” Ain’t life fun? Wayback up there.
Every bit as fast as the site it mirrors. Nice. |
Dave Higton (1515) 3525 posts |
At the moment, I have some home automation stuff accessible via HTTP on RISC OS. For security, it is a special app that doesn’t respond at all unless the request supplied to it is exactly correct. There’s no error response to help the hackers, who keep trying. Assuming server functionality for AcornSSL comes along, I’d be able to simply transfer this over to HTTPS. But this makes me wonder: when hackers come along, presumably they can attempt an SSL connection. But could such a connection be successful, and, if so, would it leak any information contained within my private certificate? This is a naive question, because I really don’t know any detail about how SSL works. |
Dave Higton (1515) 3525 posts |
I have been unable to resist playing with adding server functionality. It’s very early days, but I have some promising results. I can read certificates and a private key into appropriate stores (although, at the moment, they’re allocated within the module). I can create a server socket, and I can perform an accept operation on it. That’s as far as it goes – the cert(s) and key are not yet associated with the socket, so there’s no useful transfer of data. I seem to get zombie sockets left after I’ve done this stuff (they refuse to die), so clearly I’ve either done something wrong or not done something right. If anyone would like to look at my code and say “Hey, you can’t do that!” I’d like to hear from you. |
Dave Higton (1515) 3525 posts |
As for leaking information: that was the wrong question. It’s not a case of a leak, it’s what information (if any) the client can legitimately get from the server certificates as a result of a normal connection. If anyone has an answer to that, I’d be interested to hear it. |
Jeffrey Lee (213) 6048 posts |
Generally the aim of a server is to accept connections from any client. So yes, an attacker that connects to a SSL server in a standards-conformant manner will be accepted by that server. If you want your server to only accept connections from certain clients, servers can be configured so that the client has to present a public key of its own when it connects to the server. The server can then check the received key and reject connections from clients which aren’t recognised. If the key is accepted, the negotiation messages the server sends to the client will be encrypted using that key, ensuring that the negotiation can only succeed if the client holds the corresponding private key (public keys are used for encryption, private keys for decryption). I.e. the client can’t pretend to be trustworthy by presenting a stolen public key. This is common with SSH – instead of using a username & password to authenticate yourself with the remote machine, you use the public part of a private key stored on your machine.
Private keys contain, or can be used to generate, the corresponding public key. So although you configure your server with a private key, the clients which connect to it only get to see the public part. “Sloppy” SSL implementations may be vulnerable to timing attacks that attackers can exploit to derive the private key, but since that kind of attack has been known about for some time now I’d assume mbedTLS is immune to them. |
Dave Higton (1515) 3525 posts |
Thinking ahead to the extended AcornSSL API, I see that the mbedtls_net_bind() call is a one stop shop for creating a server socket: it creates a socket, binds it and sets it listening. I can’t easily find a call to bind a socket without the other steps being rolled into it. So I suggest that, instead of trying to follow the old-style recipe (create, bind, listen) too closely, we use this call – under whatever name we give the AcornSSL SWI. The only other call we need is to set the socket non-blocking. |
Dave Higton (1515) 3525 posts |
I’ve corrected the problem that caused zombie sockets. |
Dave Higton (1515) 3525 posts |
Well, I had a successful SSL handshake earlier, with AcornSSL as server. However, it’s only once. Since then the call to mbedtls_ssl_handshake has eventually returned 0xFFFFFFB4, which is a real problem to me as I can’t find that anywhere in the mbedtls sources. 0xFFFFFFB4 is -0×4C, or -76, and that’s what I’ve been looking for. If anyone can shed any light on where that comes from, or what causes it, I would very much appreciate the help! |
Steve Pampling (1551) 8170 posts |
Giving it more memory to work in and fall over somewhere else is too simplistic isn’t it? |
Dave Higton (1515) 3525 posts |
Much too simplistic, I’d say. Since then it’s behaved flawlessly, and I’ve been able to get a minimal web page displayed in Firefox. I downloaded my current certificate and private key from my web site so that I had valid ones to play with, and added davehigton.me.uk to the Linux box’s hosts file so as to be able to point to the RasPi with a domain name to match the cert. |
Dave Higton (1515) 3525 posts |
I have to backpedal slightly on mbedtls_net_bind() being a one stop shop. The bind has to be onto an SSL session that’s configured as server and with the cert(s) and key loaded, so I’ve had to create an SSL handle configured as server and without a socket, to pass that as the client handle to bind. Rather than create another SWI to do it, I’ve altered AcornSSL_Creat so that, if given a type of -1 in R1, it does that. It’s a cheat, but it’s easier than setting one of the flags. I haven’t actually traced through the source code, but I’m assuming that the accept call copies the client socket information from the server socket. |
Dave Higton (1515) 3525 posts |
OK, now we have to agree the extended API to AcornSSL. |
Colin (478) 2433 posts |
MBEDTLS_ERR_NET_RECV_FAILED mbedtls.h.net_sockets |
Dave Higton (1515) 3525 posts |
Thanks, Colin. |
Dave Higton (1515) 3525 posts |
There’s a working (for me!) version of the AcornSSL module with server functionality, and the associated documentation of the extensions to its API, on my web site at https://davehigton.me.uk/Progs/AcornSSLServer.zip That is to say, it’s there at the moment. At some point I’ll take it down, either because my changes have gone into the official version of the module available from this site, or because no-one has shown any interest in it. Please, please, anyone who has any interest in it: take it, try it, break it, and above all comment on my proposed extensions to the API. I hope I haven’t done this just for myself. |
Rick Murray (539) 13840 posts |
It’s interesting, for sure. The question is, however, how to get WebJames to use it…or something to replace WebJames that can? |
Dave Higton (1515) 3525 posts |
If we have access to recent source of WebJames, I’m sure it will be possible to do it. In fact I’m very much hoping that somebody (possibly me!) will do it. I don’t think that my extensions are difficult in principle – sure, there are more steps in setting up a server, as the certs and key are not the ones in InetDbase:CertData. But no step is difficult. I had a cursory look for WebJames source a couple of days ago, without success. |
Julie Stamp (8365) 474 posts |
I’m anticipating using this so I’m pleased you’ve made good progress :-) Once I’ve had a go I’ll send some more feedback (that will be a while yet, I’ve got to do the non-SSL version first!), but for now here are some ignorant thoughts from someone who’s never used SSL.
|
Stuart Painting (5389) 714 posts |
http://www.cp15.org/webjames/ has a link to the source code for v0.48 (vintage 2007, so may not be the latest). I also found this GitHub page which seems to include source. I suspect it’s also 0.48 though. |
Colin (478) 2433 posts |
Can’t the api be reduced to the api below? The certify stuff looks as though it can be done internally – as can the handshake which is done internally by client sockets. In any case I think AcornSSL_Accept would be better if it returned EAGAIN or EWOULDBLOCK as Accept does now. I’ve returned the ssl handle from bind – I’m assuming bind creates it. I’ve added a new swi to get the socket from ssl handles.
|
Colin (478) 2433 posts |
Do we need accept to specify the buffer for incoming data. If the ssl_handle returned by bind included a buffer for use by accept accept can be reduced to.
|
Dave Higton (1515) 3525 posts |
Yes, but it looks a bit uncomfortable to me…
The input parameters are completely different, in the case of creating an empty server session, from the other use of the same SWI. We aren’t short of SWIs, so I don’t think there’s anything to gain, and there’s a loss of clarity.
My bad, of course it returns a handle in R1, I’ll update the docs.
The mbedtls_net_accept() call requires a buffer and a length, and return the length used. I have no idea why; I’m simply doing what the call requires. I have no idea what would appear in the buffer, nor what use could be made of it. If you can show that it’s not necessary, or that a buffer could be shared, or… I’ve seen no indication that the buffer is needed beyond the accept.
That looks like a useful addition. |
Dave Higton (1515) 3525 posts |
I’ve just been updating the AcornSSL module so as to require just one flag bit when creating an empty server session. I thought the next available bit was b10; am I working from out of date source? |
Dave Higton (1515) 3525 posts |
At the moment I only know to translate one mbedTLS return code to Acorn, and that’s MBEDTLS_ERR_SSL_WANT_READ, which I’m translating to EWOULDBLOCK. If anyone knows any other likely return codes that would indicate simply looping round again, I’m happy to translate them too. It does point up one important thing, though: I simply built in a call within AcornSSL_Bind() to make the server socket non-blocking, and I’ve failed to document that I’ve done so. I could remove the call, I suppose, but I don’t know the consequences to the host OS operation. I guess that means I’ll have to try! Does anyone actually use blocking sockets? If so, how and why? |