Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
soc:derekpryor [2006/06/13 22:01] dpryor |
soc:derekpryor [2006/07/21 12:33] (current) dpryor |
||
---|---|---|---|
Line 5: | Line 5: | ||
---- | ---- | ||
+ | |||
+ | == Update (2006/07/21) == | ||
+ | Have almost finished porting the MatrixSSL versions of SHA1 and MD5. (Just one function I have to track down). Going to work on RSA next and see how small we can get it. __Update__: I took a look at 3DES, and even though the code is large (due to constant arrays) it should be easy to port. RSA is being a pain. | ||
+ | |||
+ | == Update (2006/07/17) == | ||
+ | From openssl.org faq "Typically you'll see a message saying there are no shared ciphers when the same setup works fine with an RSA certificate. There are two possible causes. The client may not support connections to DSA servers most web browsers (including Netscape and MSIE) only support connections to servers supporting RSA cipher suites. The other cause is that a set of DH parameters has not been supplied to the server." Because of this, I am going to look into the RSA algorithm and see how small it can be. | ||
+ | |||
+ | == Update (2006/07/16) == | ||
+ | The CipherSuites that mod_ssl accepts depends on what algorithms openssl was compiled with. Then in httpd.conf there is a directive that specifies which algorithms to accepts, or reject, and the default is to reject Anonymous DiffieHellman Suites. I will try to figure out which CipherSuites are avaliable on the default config. | ||
+ | |||
+ | == Update (2006/07/15) == | ||
+ | News! CreateSSLHello is functional, creating a ssl client hello message that is accepted by any ssl server. Ran into a problem though. Based on size constraints I have selected 4 Cipher Suites that could be used with minimal space (SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_WITH_RC4_128_MD5). The problem is these are not the most common Suites used, for example my basic install of Apache with SSL enabled does not accept any of these. So either we select some more Suites or the server admins will have to enable more Suites. I will figure out how to add these Suites to Apache shortly and post some more information. | ||
+ | |||
+ | == Update (2006/07/10) == | ||
+ | __Outline of SSL Code Structure__ | ||
+ | |||
+ | When a person starts coding a protocol using the SSL Library the code will follow this basic outline. | ||
+ | |||
+ | * Create an SSL struct | ||
+ | * Call an SSL startup function (maybe make this part of gPXE startup) | ||
+ | * Call CreateSSLHello to fill a buffer with the required ClientHello message | ||
+ | * (send buffer through connection, and read response) | ||
+ | * Call ReadSSLHello and pass the filled buffer | ||
+ | * (send buffer through connection, and read response) | ||
+ | * Call FinishSSLHello and pass the filled buffer | ||
+ | * -------------------- | ||
+ | * Call SSLEncode / SSLDecode and pass a buffer for the encrypted / decrypted text | ||
+ | * -------------------- | ||
+ | * Call SSLShutdown method to create the close message | ||
+ | * (send buffer through connection) | ||
+ | * Call SSLEnd method to free data structures / memory | ||
+ | |||
+ | Note: Function names are just placeholders | ||
+ | |||
+ | Note: After each call to an SSL function the programmer needs to check for an error (there are several). For example (need to read more data, connection closed, etc.) | ||
+ | |||
+ | == Update (2006/06/29) == | ||
+ | I'm working on reading through the SSL v3.0 RFC. Trying to work with only the code from MatrixSSL was not going to get me that far, as I did not understand what was going on at the lowest levels. I am about half way done with reading the RFC. Once I am done, I can start creating the different code frameworks that are used by SSL. | ||
+ | |||
+ | == Update (2006/06/25) == | ||
+ | So I have been looking through the SSL protocol setup communication. It looks like the client is not required to have an [[http://en.wikipedia.org/wiki/X.509|X.509 Certificate]] and private key. This allows us to do one of two things: | ||
+ | - Remove code that deals with handling the client key and certificate | ||
+ | - Insert the code (from #1) and allow the server to verify the identity of the client that is booting | ||
== Basic Idea == | == Basic Idea == |