Hello.

I am designing an application that requires the support of SSL/TLS layer socket transfer. I would like to know what is the most extensible solution.

- OpenSSL
- Win32 SSL API

The Win32 SSL API is quicker in terms of implementation. OpenSSL requires the use and in-depth knowledge of how the library handles I/O.

My primary concern is with non-blocking I/O model. Part of the design includes an OVERLAPPED I/O model via winsock. I have no problem blending Win32 SSL API with the current OVERLAPPED I/O. However, OpenSSL is somewhat different. Here is what OpenSSL design could end up.

- Winsock connect
- Associate socket to OpenSSL layer (global context)
- OpenSSL connect
- sent/recv via OpenSSL API

OpenSSL does support an event callback interface. However, is its send and receive API blocking or non-blocking? How will it affect the winsock OVERLAPPED layer? In other words, if there is incoming data, will OpenSSL handles the callback or will winsock handle the callback?

Thanks,

Kuphryn

[Moved thread]

OpenSSL (www.openssl.org) is very extensible and dynamic when it comes to I/O. It's designed around abstract I/O layers called BIO (Basic Input Output). The design is very object oriented, although it's in C. The SSL engine uses BIO interfaces to carry out I/O etc.

There are several ready-to-use BIO implementations in the library, but you can always implement your own BIO if you have special needs in your application.

If you want to use Winsock overlapped I/O, you can either write your own BIO or use a built-in mem-BIO (memory bio).

Let me know if you need more info.
/Jonas

Okay. Thanks.

I am in the implementation stage. For some reason, a call to SSL_new() crashes the program with an access violation error code. Everything looks valid including the global context.

SSL_CTX *pContext = SSL_CTX_new(SSLv23_method());

// THis code crashes program
SSL *pSSL = SSL_new(pContext);

The error is access violation at address 0x00000000. Weird!

The creation of the SSL context is okay. Library files load okay as well.

Kuphryn

Can you post the code around SSL *pSSL = SSL_new(pContext)?

I also need to know:
1. Which openssl version are you using?
2. Have you built openssl as debug or release mode?
3. Have you setup thread protection callbacks?

Good questions.

First off, I did not build the OpenSSL library DLL. I tried, but I could not compile directly from the package that was available at OpenSSL.org. I downloaded a package from this company.

http://www.slproweb.com/products/Win32OpenSSL.html

Win32 OpenSSL v0.9.7c

I tested the program in debug mode. It crashed. I tested it in release mode. It crashed.

There is no thread protection in the callback yet. The program is still in the beginning stage.


bool InitSSL(// Handle to socket to associate with SSL layer
SOCKET socket,
// Global SSL layer context
SSL_CTX * const pSSLContext,
// Global SSL callback
OpenSSLCallback callback)
{
// Crashes here
m_pSSLClient = pSSL_new(pSSLContext);
...
}


Kuphryn

Did you call SSL_library_init() before even doing SSL_CTX_new()?

Also, I think you should call CRYPTO_set_locking_callback() before even calling SSL_library_init().

I've attached a very simple SSL client test prog I wrote some years ago... It sends a HTTP request over HTTPS.

I hope it helps,
Jonas

Okay. Thanks.

Yes, the process calls SSL_library_init() before SSL_CTX_new().

I recheck because maybe there is a deadlock somewhere because I am not using CRYPTO_set_locking_callback().

Kuphryn

Hi !

I tried to compile the ssltest1.c file attached by jonas. It compiled well. But when build it errors out at 23 places. All these errors are LNK2001 errors and a few of them are listed below

error LNK2001: unresolved external symbol _SSL_CTX_set_verify
error LNK2001: unresolved external symbol _SSL_CTX_new

What do I need to do to oversome these errors ?

Does someone have a sample code for a C++ client on Win32 using SSL ?

Thanks

I tried to compile the ssltest1.c file attached by jonas. It compiled well. But when build it errors out at 23 places. All these errors are LNK2001 errors and a few of them are listed below

You need to link against the openssl libraries (libeay32.lib and ssleay32.lib). You also need the header files (lots of them). The best way to get hold of the libraries and header files are of course to download the source code from www.openssl.org and then build it. It is quite easy actually. Unpack the source code and then follow the step-by-step instructions found in file INSTALL.W32 (top directory in the source tree).