Security blanket
--#--
Mucking around with SSL code ain't for the faint of heart. So, get 
your courage up and let's go.<br>
<br>
I hope you've stepped through the <a href="/gadgets/http/">HTTP Gadget,</a> 
as this exercise will be mostly a repeat of those steps, but using the 
Secure Socket Layer. <br>
<br>
The coding examples in the HTTP Gadget used Java, but these will use 
C. There are some excellent Java libraries for making SSL connections, 
including <a 
href="http://www.rsasecurity.com/products/bsafe/sslj.html">RSA's 
BSAFE Crypto-J/SSL-J,</a> <a 
href="http://jcewww.iaik.tu-graz.ac.at">the IAIK-Java Group's 
iSaSiLk</a> and <a href="http://www.phaos.com">Phaos Technology's 
SSLava</a>. But those are commercial products with commercial licenses.  
For this gadget I've chosen the really cool, if difficult and undocumented, 
<a href="http://www.openssl.org">OpenSSL</a> libraries. OpenSSL is free 
under the <a href="http://www.gnu.org/">GNU General Public License.</a> <br>
<br>
OpenSSL includes complete libraries for constructing SSL-capable clients
and servers using all popular encryption algorithms -- (RC4, DES, Triple-DES, 
Blowfish, Diffie-Hellman, RSA public keys, MD5 and SHA-1). It includes 
utilities for generating certificate requests and modifying the Apache 
Web server to handle SSL connections. Most of the code in the project, 
which is descended from Eric Young's SSLeay programs, is written in 
C.<br>
<br>
So, your first assignment is to download and compile the package. 
Compilation is a simple process of running the <i>config</i> and
<i>make</i> programs, but can take a bit of time to do. You may 
run into some snags, but if you do, check the <a 
href="http://www.openssl.org/archives">archives</a> of the 
OpenSSL users list. It's likely you'll find an answer to a similar 
problem there. <br>
<br>
If you live in the U.S. or Canada, be sure to read the licensing information 
concerning the RSA code. You might want to configure the compilation to use 
RSA Data Security's "rsaref" libraries, which RSA released with a free 
license for <i>non-commercial</i> use. A normal compilation will use 
OpenSSL's own internal code for RSA-patented algorithms, which might be 
a violation for U.S. and Canadian users. If you plan to use OpenSSL 
commercially, you might want to compile with no patented ciphers 
included. It's up to you. <br>
<br>
Once you've got the programs and libraries installed, 
we'll start having fun with SSL!<br>