[SDL_net] SSL tunnel?

Hi there!
I have made a nice HTTP client that works with existing services on
existing servers. The client is made to make specific queries and
gather standardized information which is displayed to the user without
any HTML on it using my interface.

My problem arise when I decided to add another service to this HTTP
client, and specifically when I found the program’s address starts
with https://…

As I understand it, https is pretty much an HTTP stream of data
tunnelled inside an SSL connection. Now since my program works very
well with normal HTTP, i figured it might be pretty simple now to
learn and master only SSL!

However, I have never worked with encryption, I know the concepts
but I may have to review some reference for all those certificate
stuff, keys, hashing and other interesting topic directly bound to
SSL. If you know of a nice starting place, please share it here…
if there are libraries that can help me tunnel my HTTP client through
HTTPS instead, then please tell me about it.

–OR–

Maybe it’s time to add such feature to SDL!

I would be ready to work on my own SDL_crypt library if it doesn’t
exists… I’ll still need the documentation starters!

Thanks for all the help!
Simon

I’d LOVE an SSL tunnel for sdl_net that would own.> ----- Original Message -----

From: sdl-bounces+atrix2=cox.net@libsdl.org
[mailto:sdl-bounces+atrix2=cox.net at libsdl.org] On Behalf Of Simon
Sent: Sunday, March 26, 2006 4:08 PM
To: A list for developers using the SDL library. (includes SDL-announce)
Subject: [SDL] [SDL_net] SSL tunnel?

Hi there!
I have made a nice HTTP client that works with existing services on
existing servers. The client is made to make specific queries and
gather standardized information which is displayed to the user without
any HTML on it using my interface.

My problem arise when I decided to add another service to this HTTP
client, and specifically when I found the program’s address starts
with https://…

As I understand it, https is pretty much an HTTP stream of data
tunnelled inside an SSL connection. Now since my program works very
well with normal HTTP, i figured it might be pretty simple now to
learn and master only SSL!

However, I have never worked with encryption, I know the concepts
but I may have to review some reference for all those certificate
stuff, keys, hashing and other interesting topic directly bound to
SSL. If you know of a nice starting place, please share it here…
if there are libraries that can help me tunnel my HTTP client through
HTTPS instead, then please tell me about it.

–OR–

Maybe it’s time to add such feature to SDL!

I would be ready to work on my own SDL_crypt library if it doesn’t
exists… I’ll still need the documentation starters!

Thanks for all the help!
Simon


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

I can’t agree more! Something “Simple” of course! Well, I’m thinking
on making a full cryptography library for SDL, one that would support
simple hashing, cyphering, certificate creation, encryption, message
signing and more… a name for such lib will probably be close to
SDL_crypt (if it’s not already used).

SimonOn 3/26/06, Alan Wolfe wrote:

I’d LOVE an SSL tunnel for sdl_net that would own.

I’m no expert on SSL, but I would imagine that using OpenSSL would be
ideal for a situation such as this.
The page is located at http://www.openssl.org/
There is one small thing you might want to consider before undertaking
such a project:
Many (very many, in fact) cryptographic routines, including some of
those used in SSL, fall under patent regulations.On top of that, certain countries have import/export laws regarding the encryption level of software packages. I don’t know enough about the legal implications of a project, but I know there have been issues in the past. I would seriously consider speaking to a lawyer before undertaking any such thing. Elden Armbrust Alan Wolfe wrote:

I’d LOVE an SSL tunnel for sdl_net that would own.

-----Original Message-----
From: sdl-bounces+atrix2=cox.net at libsdl.org
[mailto:sdl-bounces+atrix2=cox.net at libsdl.org] On Behalf Of Simon
Sent: Sunday, March 26, 2006 4:08 PM
To: A list for developers using the SDL library. (includes SDL-announce)
Subject: [SDL] [SDL_net] SSL tunnel?

Hi there!
I have made a nice HTTP client that works with existing services on
existing servers. The client is made to make specific queries and
gather standardized information which is displayed to the user without
any HTML on it using my interface.

My problem arise when I decided to add another service to this HTTP
client, and specifically when I found the program’s address starts
with https://…

As I understand it, https is pretty much an HTTP stream of data
tunnelled inside an SSL connection. Now since my program works very
well with normal HTTP, i figured it might be pretty simple now to
learn and master only SSL!

However, I have never worked with encryption, I know the concepts
but I may have to review some reference for all those certificate
stuff, keys, hashing and other interesting topic directly bound to
SSL. If you know of a nice starting place, please share it here…
if there are libraries that can help me tunnel my HTTP client through
HTTPS instead, then please tell me about it.

–OR–

Maybe it’s time to add such feature to SDL!

I would be ready to work on my own SDL_crypt library if it doesn’t
exists… I’ll still need the documentation starters!

Thanks for all the help!
Simon


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

Take a look at gnutls, it’s LGPL
http://www.gnu.org/software/gnutls/
-------------- next part --------------
A non-text attachment was scrubbed…
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: http://lists.libsdl.org/pipermail/sdl-libsdl.org/attachments/20060327/a08cafc3/attachment.pgpOn Sun, Mar 26, 2006 at 07:07:59PM -0500, Simon wrote:

However, I have never worked with encryption, I know the concepts
but I may have to review some reference for all those certificate
stuff, keys, hashing and other interesting topic directly bound to
SSL. If you know of a nice starting place, please share it here…
if there are libraries that can help me tunnel my HTTP client through
HTTPS instead, then please tell me about it.

About the patent, browsing in OpenSSL’s documentation, it seems these
3 things have patents: IDEA, MDC2 and RC5. It would be easy to not
include them or have the user decide if he wants to use them or not.
(as they are available in OpenSSL, I guess you can use them for dev
purposes but not commercial ones… just a guess).

Don’t worry, I’ll do a lot of research on this before mixing "SDL"
with “SSL” in one name.On 3/26/06, Elden Armbrust wrote:

I’m no expert on SSL, but I would imagine that using OpenSSL would be
ideal for a situation such as this.
The page is located at http://www.openssl.org/
There is one small thing you might want to consider before undertaking
such a project:
Many (very many, in fact) cryptographic routines, including some of
those used in SSL, fall under patent regulations.
On top of that, certain countries have import/export laws regarding the
encryption level of software packages.
I don’t know enough about the legal implications of a project, but I
know there have been issues in the past.
I would seriously consider speaking to a lawyer before undertaking any
such thing.

However, I have never worked with encryption, I know the concepts
but I may have to review some reference for all those certificate
stuff, keys, hashing and other interesting topic directly bound to
SSL. If you know of a nice starting place, please share it here…
if there are libraries that can help me tunnel my HTTP client through
HTTPS instead, then please tell me about it.

Use OpenSSL if you need to add SSL to your connection.

As for an SDL-based solution: don’t bother, libCurl already wins for API
design. :slight_smile:

Use libCurl if you want a really easy HTTP library that handles all the
strange corner cases you haven’t started to think about yet…HTTP is
deceptively complex in some fairly common situations.

libCurl also has OpenSSL support included as an option (and is much
easier to use than OpenSSL directly).

–ryan.

Use OpenSSL if you need to add SSL to your connection.

As for an SDL-based solution: don’t bother, libCurl already wins for API
design. :slight_smile:

Use libCurl if you want a really easy HTTP library that handles all the
strange corner cases you haven’t started to think about yet…HTTP is
deceptively complex in some fairly common situations.

libCurl also has OpenSSL support included as an option (and is much
easier to use than OpenSSL directly).

Thanks Ryan, it’s not the first time I hear about this libCURL and
I’ll give it a shot! But still, I guess it might be interesting to
add a SDL_crypt that would be a frontend + SDL integration of OpenSSL
(if licenses agree, didn’t check). I’m thinking about something
similar of SDL_ttf

Anyway, got to go,
Simon

I haven’t checked out OpenSSL yet but if it isn’t compatible with sdl_net I
think an ssl tunnel would still be neat.

I made a client/server program in sdl/sdl_net that works like cvs (check
in/check out files) as well as working as a file updater and an
auto-updater.

Right now it uses plain text login, and if there was a simple way to just
wrap it up in an sll tunnel, that would be really really useful.

A buddy of mine uses this program as a patcher for his game, while I use it
as a cvs for work and having the security of encrypted login vs plaintext
would be really nice (:> ----- Original Message -----

From: sdl-bounces+atrix2=cox.net@libsdl.org
[mailto:sdl-bounces+atrix2=cox.net at libsdl.org] On Behalf Of Simon
Sent: Sunday, March 26, 2006 11:56 PM
To: A list for developers using the SDL library. (includes SDL-announce)
Subject: Re: [SDL] [SDL_net] SSL tunnel?

Use OpenSSL if you need to add SSL to your connection.

As for an SDL-based solution: don’t bother, libCurl already wins for API
design. :slight_smile:

Use libCurl if you want a really easy HTTP library that handles all the
strange corner cases you haven’t started to think about yet…HTTP is
deceptively complex in some fairly common situations.

libCurl also has OpenSSL support included as an option (and is much
easier to use than OpenSSL directly).

Thanks Ryan, it’s not the first time I hear about this libCURL and
I’ll give it a shot! But still, I guess it might be interesting to
add a SDL_crypt that would be a frontend + SDL integration of OpenSSL
(if licenses agree, didn’t check). I’m thinking about something
similar of SDL_ttf

Anyway, got to go,
Simon


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

A buddy of mine uses this program as a patcher for his game, while I use it
as a cvs for work and having the security of encrypted login vs plaintext
would be really nice (:

Yea, well… you can always Hash this username and password pair and
send the hashed string instead. In your database, you would store the
hash as well. It adds security as no one can actually know what your
password or username are. However an hacker could possibly intercept
the hash and use it to login. But in any case you should never store
raw passwords, hash them. (To know more, look in google for “MD5”, an
hashing algorythm).

Other than that, it seems to be ultra complicated to implement SSL.
We might not be able to implement a liteSSL version for SDL securely.
I guess the only best way to do this is to use existing libraries and
possibly just make an SDL frontend to it, like what SDL_ttf is doing
with freetype.

I’ll work my way for my own tool and when I get any sort of results
I’ll post it here. I’ll try to make simple tunnelling functions…

Thanks for the interest though!
Simon

Yea, well… you can always Hash this username and password pair and
send the hashed string instead. In your database, you would store the
hash as well. It adds security as no one can actually know what your
password or username are. However an hacker could possibly intercept
the hash and use it to login. But in any case you should never store
raw passwords, hash them. (To know more, look in google for “MD5”, an
hashing algorythm).

Sending a simple hash of the password is no more secure than sending
the password itself, so there is no point in doing that. Either send
the plaintext or use strong encryption. I do agree with storing the
passwords in the server as hashes, though. If you do that, you
should also look into “salting” your hashes.

As well, new applications should generally avoid using MD5 for
security purposes, unless they have to for some reason. use one of
the SHA2 algorithms instead.

spencerOn Mar 28, 2006, at 12:41 AM, Simon wrote:

This is pretty much off-topic at this point. Could you take it to e-mail?

Thanks!
-Sam Lantinga, Senior Software Engineer, Blizzard Entertainment