1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
\chapter{How to use \gnutls{}\index{Example programs} in applications}
\input{preparation}
\label{examples}
\section{Client examples}
This section contains examples of \tls{} and \ssl{} clients, using \gnutls{}.
Note that these examples contain little or no error checking.
\subsection{Simple client example with X.509 certificate support}
Let's assume now that we want to create a TCP client which communicates
with servers that use X.509 or OpenPGP certificate authentication. The following client
is a very simple \tls{} client, it does not support session resuming, not
even certificate verification. The TCP functions defined in this example
are used in most of the other examples below, without redefining them.
\input{ex-client2}
\subsection{Obtaining session information}
Most of the times it is desirable to know the security properties of
the current established session. This includes the underlying ciphers and
the protocols involved. That is the purpose of the following function.
Note that this function will print meaningful values only if
called after a successful \printfunc{gnutls_handshake}{gnutls\_handshake}
\input{ex-session-info}
\subsection{Verifying peer's certificate}
A \tls{} session is not secure just after the handshake procedure has finished.
It must be considered secure, only after the peer's certificate and identity have been
verified. That is, you have to verify the signature in peer's
certificate, the hostname in the certificate, and expiration dates.
Just after this step you should treat the connection as being a secure one.
The following function is a simple example on how to verify a single certificate.
Real world programs should be able to handle certificate chains as well.
\input{ex-rfc2818}
\subsection{Using a callback to select the certificate to use}
There are cases where a client holds several certificate and key pairs,
and may want to choose the appropriate to send in the current session.
The following example demonstrates the use of the certificate selection callback
to assist in this purpose.
\par
\input{ex-cert-select}
\subsection{Client with Resume capability example}
\label{resume-example}
This is a modification of the simple client example. Here we demonstrate
the use of session resumption. The client tries to connect once using
\tls{}, close the connection and then try to establish a new connection
using the previously negotiated data.
\input{ex-client-resume}
\subsection{Simple client example with SRP authentication}
The following client
is a very simple SRP \tls{} client which connects to a server
and authenticates using a {\it username} and a {\it password}. The
server may authenticate itself using a certificate, and in that case it
has to be verified.
\input{ex-client-srp}
\section{Server examples}
This section contains examples of \tls{} and \ssl{} servers, using \gnutls{}.
\subsection{Echo Server with X.509 authentication}
This example is a very simple echo server which supports {\bf X.509} authentication,
using the RSA ciphersuites.
\input{ex-serv1}
\subsection{Echo Server with X.509 authentication II}
The following example is a server which supports {\bf X.509} authentication.
This server supports the export-grade cipher suites, the DHE ciphersuites
and session resuming.
\input{ex-serv-export}
\subsection{Echo Server with OpenPGP\index{OpenPGP!Server} authentication}
The following example is an echo server which supports {\bf OpenPGP} key
authentication. You can easily combine this functionality --that is have
a server that supports both X.509 and OpenPGP certificates-- but we
separated them to keep these examples as simple as possible.
\input{ex-serv-pgp}
\subsection{Echo Server with SRP authentication}
This is a server which supports {\bf SRP} authentication. It is also
possible to combine this functionality with a certificate server. Here it
is separate for simplicity.
\input{ex-serv-srp}
\section{Miscellaneous examples}
\subsection{A callback which\index{OpenPGP!Key retrieval} retrieves OpenPGP keys}
The following example is a callback function which retrieves {\bf OpenPGP} keys from
a public key server. This is useful when a client connected to an OpenPGP \tls{} server
and sent its key fingerprint instead of the whole key. With this callback the \tls{}
server can retrieve the key from a public key server.
\input{ex-pgp-keyserver}
\subsection{Checking for an alert}
This is a function that checks if an alert has been received
in the current session.
\input{ex-alert}
\input{openssl}
|
