SSL and TLS¶
New in version 1.9.4.
Botan supports both client and server implementations of the SSL/TLS protocols, including SSL v3, TLS v1.0, and TLS v1.1. The insecure and obsolete SSL v2 is not supported.
The implementation uses std::tr1::function, so it may not have been compiled into the version you are using; you can test for the feature macro BOTAN_HAS_SSL_TLS to check.
TLS Clients¶
- class TLS_Client¶
- TLS_Client(std::tr1::function<size_t, byte*, size_t> input_fn, std::tr1::function<void, const byte*, size_t> output_fn, const TLS_Policy& policy, RandomNumberGenerator& rng)¶
Creates a TLS client. It will call input_fn to read bytes from the network and call output_fn when bytes need to be written to the network.
- size_t read(byte* buf, size_t buf_len)¶
Reads up to buf_len bytes from the open connection into buf, returning the number of bytes actually written.
- void write(const byte* buf, size_t buf_len)¶
Writes buf_len bytes in buf to the remote side
- void close()¶
Closes the connection
- std::vector<X509_Certificate> peer_cert_chain()¶
Returns the certificate chain of the server
A simple TLS client example:
#include <botan/botan.h>
#include <botan/tls_client.h>
#include "socket.h"
using namespace Botan;
#include <stdio.h>
#include <string>
#include <iostream>
#include <memory>
class Client_TLS_Policy : public TLS_Policy
{
public:
bool check_cert(const std::vector<X509_Certificate>& certs) const
{
for(size_t i = 0; i != certs.size(); ++i)
{
std::cout << certs[i].to_string();
}
std::cout << "Warning: not checking cert signatures\n";
return true;
}
};
int main(int argc, char* argv[])
{
if(argc != 2 && argc != 3)
{
printf("Usage: %s host [port]\n", argv[0]);
return 1;
}
try
{
LibraryInitializer botan_init;
std::string host = argv[1];
u32bit port = argc == 3 ? Botan::to_u32bit(argv[2]) : 443;
printf("Connecting to %s:%d...\n", host.c_str(), port);
SocketInitializer socket_init;
Socket sock(argv[1], port);
AutoSeeded_RNG rng;
Client_TLS_Policy policy;
TLS_Client tls(std::tr1::bind(&Socket::read, std::tr1::ref(sock), _1, _2),
std::tr1::bind(&Socket::write, std::tr1::ref(sock), _1, _2),
policy, rng);
printf("Handshake extablished...\n");
#if 0
std::string http_command = "GET / HTTP/1.1\r\n"
"Server: " + host + ':' + to_string(port) + "\r\n\r\n";
#else
std::string http_command = "GET / HTTP/1.0\r\n\r\n";
#endif
tls.write((const Botan::byte*)http_command.c_str(),
http_command.length());
size_t total_got = 0;
while(true)
{
if(tls.is_closed())
break;
Botan::byte buf[128+1] = { 0 };
size_t got = tls.read(buf, sizeof(buf)-1);
printf("%s", buf);
fflush(0);
total_got += got;
}
printf("\nRetrieved %d bytes total\n", total_got);
}
catch(std::exception& e)
{
printf("%s\n", e.what());
return 1;
}
return 0;
}
TLS Servers¶
A simple TLS server
#include <botan/botan.h>
#include <botan/tls_server.h>
#include <botan/rsa.h>
#include <botan/dsa.h>
#include <botan/x509self.h>
#include "socket.h"
using namespace Botan;
#include <stdio.h>
#include <string>
#include <iostream>
#include <memory>
class Server_TLS_Policy : public TLS_Policy
{
public:
bool check_cert(const std::vector<X509_Certificate>& certs) const
{
for(size_t i = 0; i != certs.size(); ++i)
{
std::cout << certs[i].to_string();
}
std::cout << "Warning: not checking cert signatures\n";
return true;
}
};
int main(int argc, char* argv[])
{
int port = 4433;
if(argc == 2)
port = to_u32bit(argv[1]);
try
{
LibraryInitializer botan_init;
SocketInitializer socket_init;
AutoSeeded_RNG rng;
//RSA_PrivateKey key(rng, 1024);
DSA_PrivateKey key(rng, DL_Group("dsa/jce/1024"));
X509_Cert_Options options(
"localhost/US/Syn Ack Labs/Mathematical Munitions Dept");
X509_Certificate cert =
X509::create_self_signed_cert(options, key, "SHA-1", rng);
Server_Socket listener(port);
Server_TLS_Policy policy;
while(true)
{
try {
printf("Listening for new connection on port %d\n", port);
Socket* sock = listener.accept();
printf("Got new connection\n");
TLS_Server tls(
std::tr1::bind(&Socket::read, std::tr1::ref(sock), _1, _2),
std::tr1::bind(&Socket::write, std::tr1::ref(sock), _1, _2),
policy,
rng,
cert,
key);
std::string hostname = tls.requested_hostname();
if(hostname != "")
printf("Client requested host '%s'\n", hostname.c_str());
printf("Writing some text\n");
char msg[] = "Foo\nBar\nBaz\nQuux\n";
tls.write((const Botan::byte*)msg, strlen(msg));
printf("Now trying a read...\n");
char buf[1024] = { 0 };
u32bit got = tls.read((Botan::byte*)buf, sizeof(buf)-1);
printf("%d: '%s'\n", got, buf);
tls.close();
}
catch(std::exception& e) { printf("%s\n", e.what()); }
}
}
catch(std::exception& e)
{
printf("%s\n", e.what());
return 1;
}
return 0;
}