Microsoft implementation of generating SSL certificate - c

I am building a server/client application and I would like to use Microsoft's SSL instead of a 3rd party library such as OpenSSL.
I have came across this example code on the MSDN:
Server: https://learn.microsoft.com/en-us/windows/win32/secauthn/using-sspi-with-a-windows-sockets-server
Client: https://learn.microsoft.com/en-us/windows/win32/secauthn/using-sspi-with-a-windows-sockets-client
I am looking through the code and it appears that it is using a function AcquireCredentialsHandle which from my understanding just uses existing credentials (cert?) found on the system.
I would like to, if possible, create my own certificate on the fly each time I connect to the server. This way the cert is changed each time and if anyone were to get my cert then it would only be useful for the specific set of traffic.

Related

azure iothub sdk mqtt sample - error tls certificate

I'm trying to run the azure iothub sdk c sample of the mqtt protocol.
I've compiled hte project but when I run the program it returns some error about SSL routines
This i the complete error:
error:1416F086: SSL routines:tls_process_server_certificate:certificate verify failed
Info: Closing tlsio from a state other than TLSIO_STATE_EXT_OPEN or TLSIO_STATE_EXT_ERROR
I got only this error repeated five times, one for each accepted message ready to be transmitted to the IoTHub.
I've read that I need to set trust to the openssl certs in the sample directory but I've not figured out how to do this task or how to avoid this problem.
Is there someone who has already faced this issue?
This document describes in detail how to prepare your development environment as well as how to run the samples on Linux, Windows or other platforms. Please refer to the section to rebuild you code and then run to test.
Try using the TrustedCerts option. With this option you can pass to the SDK the certificate that is used to validate the server's certificate. This is typically used when either you don't have the root certificate, Baltimore CyberTrust, or your device does not have the concept of a trusted root certificate store. You can find an example of this option being used in
<repositoryRoot>\iothub_client\samples\iothub_client_sample_amqp_shared\iothub_client_sample_amqp_shared.c
https://github.com/Azure/azure-iot-sdk-c/blob/44827986929af7f4fbb41806b880a6da4e13d3e8/iothub_client/samples/iothub_client_sample_amqp_shared/iothub_client_sample_amqp_shared.c#L261

Simple HTTPS to HTTP proxy

I'm trying to test out U2F on Google Appengine.
Unfortunately dev_appserver.py, the development app server for local testing, only runs in HTTP, and the U2F standard requires that the web server be connected over HTTPS.
There are some options for proxy servers, including stunnel, stud, Pound and ngrok.
What I am doing will probably end up being an open source package, so I would like to keep the setup fairly straightforward and dependency list strictly to widely available packages.
An ideal solution would be a command-line program along the lines of prog_name -listen localhost:8041 -proxy localhost:8040; in other words, a very simple command line setup.
The stud and pound programs seem like overkill.
The stunnel option seems to be the best and most common solution, but it would be better if it could be configured from the command line instead of a config file.
Ngrok is super-cool and seems to be along the right lines. It gives you a random server name though, which can be a problem since the U2F appId must match the server (if persistence matters), but other than that it's basically the right idea.
I have a vague memory of this being possible with openssl from the command line, but the only command that seems suitable is s_server and that seems to only provide ssl reflection/debugging information and not the option to proxy requests per se. My memory must be faulty.
It would not be terribly difficult to write-up a trivial Python server/client proxy, leading me to believe there's probably a simple option out there ... however, the search results have a dreadful signal-noise ratio.
Are there other sensible options for developing with a HTTPS server when the content is served over HTTP (as the case is with AppEngine's dev_appserver.py)?

Downloading a file from SFTP Server in Delphi [duplicate]

I'm writing a simple Delphi App to upload a few files to a SFTP Server. i thought i would be able to use a TIdFTP indy client but it seams as tho their is not an option for FTP Over SSH (SFTP) does anyone know of any Free / Open source Components for Delphi 2010 that would support FTP over SSH (SFTP). Due to security reasons im unable to use Active X controls so please do not respond with Active X solutions.
Thanks for the help,
Kyle
SFTP and "FTP over SSH" are two separate things, and neither involves SSL (as someone else has suggested). SFTP is a sub-protocol of SSH while "FTP over SSH" is good/bad ol' FTP tunnelled through an SSH connection with port forwarding.
Either way, what you're after is a Delphi SSH library. I was unable to find a free SSH library for Delphi and ended purchasing SecureBlackbox (http://www.eldos.com/), which is excellent by the way, although SecureBridge (http://www.devart.com) also looks pretty good.
1) SFTP is NOT FTP-over-SSH. Read the discussion here.
2) For SFTP there are no free Delphi components. You can use our SFTP client and server components for Delphi (part of SecureBlackbox product), which are supported and maintained commercial solution.
I've been using PuTTY's SCP command line utility, with catching it's standard out via the CreateProcess method.
IP*Works include SFTP component - http://www.nsoftware.com/products/component/sftp.aspx and registered user of Delphi XE a XE2 can download this from code central (ID: 28437, ID: 28012)
and for Synapse is in contrib dir demo of simple SFTP - http://synapse.ararat.cz/files/contrib/
And since October 2019, there's a DLL fork of PuTTY with Delphi units, please see
https://github.com/superflexible/TGPuttyLib
This was created to be able to achieve the highest possible transfer rates over SFTP. It's free and very easy to use (with examples).
Look at Synapse ( http://synapse.ararat.cz/doku.php/download ) suporting ssl protocole.
Exemple code: http://synapse.ararat.cz/doku.php/public:howto:tcpwithssl
Another secure connection component set is from nSoftware: http://www.nsoftware.com/ipworks/ssh/components.aspx
You get SSH Tunnel, and SFTP.
They also offer a full component set of SSL related items: http://www.nsoftware.com/ipworks/ssl/components.aspx
libssh2 (wriiten in C) supports SFTP, and we have two separate Delphi wrappers (not sure which one is better):
https://github.com/pult/libssh2_delphi
and
https://github.com/dimmaq/delphi-libssh2
SecureBridge from DevArt also support SFTP, comes with full source for the Professional Editon.

Controlling Name Resolution server (DNS) address per request

Looking for ideas on how to generate a Name Resolution request and specify to which server to dispatch the request.
I'm working on Linux.
Up until now, I found two options:
Use an external library which can be hooked for achieving this.
Anyone knows a reliable DNS library that can be used for a production system?
Use Network Namespaces to virtualize the stack and use mounting to link the name resolution server files per namespace (see iproute2 latest version). Requests issued from each namespace may have different servers.
please share your thoughts...
Linux actually comes with a resolver API. See the man(3) page for 'resolver', and link your application with -lresolv.
The libsres library (dnsval) from the DNSSEC-Tools project definitely lets you send queries to a particular server. I know because I've done just that inside the DNSSEC-Check application, which is also part of the DNSSEC-Tools project.

OpenSSL code woes

So I'm writing some C code to connect to a server that is expecting me to provide a certificate for authentication. I'm using OpenSSL to do the SSL communications and I've got the socket code worked out, and I have code to do the SSL part worked out to, but what I can't seem to get simply because the docs are so sparse is how to implement the function:
SSL_CTX_set_client_cert_cb
If any one has any tips I would greatly appreciate it.
You do not need to use SSL_CTX_set_client_cert_cb(). The simplest way is to use SSL_use_certificate_file() to set the certificate and SSL_use_PrivateKey_file() to set the corresponding private key, before calling SSL_connect().

Resources