1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
\documentclass{book}
\usepackage{html}
\usepackage{fancyheadings}
\input{macros}
\begin{document}
\pagenumbering{roman}
\input{cover}
\tableofcontents
\newpage
\pagenumbering{arabic}
\pagestyle{fancy}
\chapter{The Library}
\section{Introduction}
\par
\gnutls is a portable library which implements the {\emph TLS 1.0} and
{\emph SSL 3.0} protocols.
TLS stands for 'Transport Layer Security' and is the sucessor of SSL\footnote{
SSL or Secure Sockets Layer is a protocol designed by Netscape. TLS 1.0 is based on
{\emph SSL 3.0} protocol. {\emph SSL 2.0} is a very old protocol which is vulnerable
to several attacks. SSL 2.0 is not implemented in \gnutls}.
{\emph TLS 1.0}\footnote{described in {\it RFC 2246}} is an Internet protocol,
defined by IETF\footnote{IETF or Internet Engineering Task Force
is a large open international community of network
designers, operators, vendors, and researchers concerned with the evolution of
the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.}
that provides confidentiality, and authentication layers over a {reliable
transport layer}\footnote{TLS is mostly used over {\emph TCP/IP} although this is not restrictive, you may
use it over any reliable transport layer.}. \gnutls implements the
above protocols in reentrant way in order to be used in multiple threads of
execution (without the need for Critical Sections).
\par
Currently \gnutls implements:
\begin{itemize}
\item the {\bf TLS 1.0} and {\bf{ SSL 3.0}} protocols, without any (US) export-controlled algorithms
\item {\bf X509} Public Key Infrastructure (with several limitations).
\item {\bf SRP} for TLS authentication.
\item TLS {\bf Extension mechanism}
\end{itemize}
\subsection{Confidentiality}
\par
Confidentiality is provided by using symmetric encryption algorithms like {\bf 3DES},
{\bf AES\footnote{AES or Advanced Encryption Standard is actually the RIJNDAEL algorithm. This is the
algorithm that will replace DES.}}, or
stream algorithms like {\bf ARCFOUR\footnote{ARCFOUR is a compatible
algorithm with RSA's RC4 algorithm.}}. A symmetric encryption algorithm uses a single (secret) key
to encrypt and decrypt data. Block algorithms in TLS also provide protection
against statistical analysis of the data. \gnutls makes use of this property
thus, if you're operating in TLS 1.0 mode, a random number of blocks will be
appended to the data. This will prevent eavesdroppers from guessing the
actual data size.
\subsection{Authentication}
\par
The following authentication schemas are supported in \gnutls:
\begin{enumerate}
\item X509 Public Key Infrastructure
\item Anonymous authentication
\item SRP authentication
\end{enumerate}
\section{Client Examples}
This section contains examples of TLS and SSL clients, using \gnutls.
\subsection{Simple Client example with X509 Authentication}
Let's assume now that we want to create a client which communicates
with servers using the X509 authentication schema. The following client
is a very simple TLS client, it does not support session resuming nor
any other fancy features.
\input{ex2}
\subsection{Getting peer's information}
\par The above example was the simplest form of a client, it didn't even check
the result of the peer's certificate verification function (ie. if we have
an authenticated connection). The following function does check the peer's X509
Certificate, and prints some information about the current state.
\par
This function should be called after a successful
\hyperref{gnutls\_handshake()}{gnutls\_handshake() (see Section }{ for more information)}{gnutls_handshake}
\input{ex3}
\subsection{Resuming Sessions}
\par
The
\hyperref{gnutls\_handshake()}{gnutls\_handshake() (see Section }{ for more information)}{gnutls_handshake}
function, is expensive since
a lot of calculations are performed. In order to support many fast connections to
the same server a client may use session resuming. {\bf Session resuming} is a
feature of the {\bf TLS} protocol which allows a client to connect to a server,
after a successful handshake, without the expensive calculations (ie. use the previously
established keys). \gnutls supports this feature, and this example illustrates a
typical use of it (This is a modification of the simple client example).
\par
Keep in mind that sessions are expired after some time (for security reasons), thus
it may be normal for a server not to resume a session even if you requested that.
\input{ex1}
\subsection{Simple Client example with SRP Authentication}
Although {\bf SRP} is not part of the TLS standard, \gnutls implements
{\it draft-ietf-tls-srp-01} which defines a way to use the SRP algorithm
within the TLS handshake. The following client
is a very simple SRP-TLS client which connects to a server by using
{\it username} and {\it password}.
\input{srp1}
\section{Server Examples}
This section contains examples of TLS and SSL servers, using \gnutls.
\subsection{Echo Server with X509 and SRP authentication}
The following example is a server which supports both {\bf SRP} and {\bf X509} authentication.
This server also supports {\it session resuming}.
\input{serv1}
\include{gnutls-api}
\input{fdl.tex}
\end{document}
|
