topic Re: sockets in Operating System - OpenVMS

sockets

Eric_369 — Wed, 19 Oct 2005 12:16:19 GMT

Hello!
I just wanted to thank all of you who have responded to all my questions and thank you for giving me great solutions to my OpenVMS questions.

My next question is a programming question. I hope I'm on the right forum. Anyway, here goes. We have been writing GUI applications using MS Visual C++ that access our data, stored in indexed files, on an Alpha server running OpenVMS. Our client (Windows) applications use a derivation of the MFC CSocket class and our server uses the sys$qio system routines. The nature of our business requires that we transfer data from server to client securely. When we make a connection over the internet we use a VPN gateway to encrypt our data; however, this can be expensive and requires another layer of expertise for our company and clients. My desire is to solve this problem by creating a secure socket on both the server and client using some kind of SSL implementation; whereby, the regular socket is wrapped, as it were, in an SSL routine for reads and writes eliminating the need for encryption devices. Can anyone help me solve this problem by suggesting SSL 'c' libraries that would be compatible in both the OpenVMS HP 'C' and Windows Visual C++ programming environments.
Eric

Re: sockets

Bojan Nemec — Wed, 19 Oct 2005 13:00:31 GMT

Eric,

Take a look to OpenSSL. On VMS you have a HP release of OpenSSL:

http://h71000.www7.hp.com/openvms/products/ssl/ssl.html

On windows you can download it from:

http://www.openssl.org/

Bojan

Re: sockets

Arch_Muthiah — Wed, 19 Oct 2005 13:06:17 GMT

Hi Eric,

We have few sample programs in our OpenVMS directory for your requirement (similar). But for windows side, I have no info.

Better you can go thru these sample programs
1.SSL$simple_cli.c
2.SSL$simple_serv.c

Using SOCKET
1. SSL$BIO_cli.c
2. SSL$BIO_serc.c

Using $QIO
1. SSL$TCP_client_qio.c
2. SSL$TCP_server_qio.c

All these files are available in
SYS$COMMON:[SYSHLP.EXAMPLES.SSL] directory.

Archunan

Re: sockets

Eric_369 — Thu, 20 Oct 2005 18:09:34 GMT

Hello,
Thanks for turning me on to the ssl sights and example programs! I do have another question concerning certificates.
I have been running the script to create all the *.ca,*.crt, and *.csr files; however, the process fails when I try to create the server and client certificate request (server.crt/client.crt) with the following error:

>>
Using configuration from ssl$root:[000000]openssl-vms.cnf
Enter pass phrase for ssl$key:client_ca.key:
unable to load number from ssl$root:[demoCA]serial.txt
error while loading serial number
2431:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:F_INT:215:
<<

Is there supposed to be something in ssl$root:[000000]serial.txt file like a unique serial number? If so who or where would I get it?

Eric

Re: sockets

Bojan Nemec — Fri, 21 Oct 2005 02:05:41 GMT

Eric,

The serial.txt file is by defaultlocated at SSL$DB:SERIAL.TXT and SSL$DB points to SSL$ROOT:[DEMOCA]. The file contains a hexadeciml number which is one more than the number of signed certificates.
The procedure to create the CA with SSL$COM:SSL$CERT_TOOL.COM is:

5. Create a CA (Certification Authority) Certificate
to create the CA (it seem you did this phase)

then you create one or more requests with:
3. Create a Certificate Signing Request

Then you must sign the request with:
6. Sign a Certificate Signing Request
use the CA certificate to sign the request.

Try to create the file with:
$ CREATE SSL$ROOT:[DEMOCA]SERIAL.TXT
01

Bojan

Re: sockets

Bojan Nemec — Fri, 21 Oct 2005 02:13:47 GMT

Eric,

Look at the SYS$COMMON:[SYSHLP.EXAMPLES.SSL]SSL$EXAMPLES_SETUP.TEMPLATE

also at this link:
http://h71000.www7.hp.com/doc/82FINAL/aa-rscvc-te/00/00/44-con.html
from the manual:
http://h71000.www7.hp.com/doc/82FINAL/aa-rscvc-te/aa-rscvc-te.HTML

Bojan

Re: sockets

Eric_369 — Fri, 21 Oct 2005 10:19:07 GMT

Bojan,
I really appreciate your help! Thanks!
Eric

Re: sockets

Robert Gezelter — Sun, 23 Oct 2005 03:32:00 GMT

Eric,

Just my $ 0.02.

Just a suggestion. It is not clear from the discussion in this thread, but it is vital to avoid self-signed certificates. Go through the full process and get a real certificate signed by a recognized certification authority, the cost is quite nominal (this may be your intent, but it the discussion is unclear).

A self-signed certificate guarantees nothing in terms of security. Only a certificate from a widely recognized CA provides any guarantee to remote users of authenticity.

- Bob Gezelter, http://www.rlgsc.com