CSCI 6268 - Foundations of Computer and Network Security - Fall 2002

Assignment #4

Due: Nov 7th, 2002

Implement a secure tunnel system based on SSL. The system must consist of a pair of programs: sslc and ssls. sslc is the client, and acts as the entrance of the tunnel, while ssls is the server, and acts as the remote endpoint of the tunnel. The usage synopsis of sslc and ssls are as follows:

sslc local-port ssls-host[/ssls-name] ssls-port remote-host remote-port ca-certificate [sslc-certificate sslc-priv-key]

ssls ssls-port ca-certificate [name...]

the parameters are:
local-portport on which sslc accepts connections from client applications
ssls-hosthost running the remote endpoint ssls
ssls-namename of the server used for authentication. This parameter is optional. You may choose not to support it at all, or to support it as an optional parameter.
ssls-portport on which ssls accepts connections from sslc
remote-hosthost running the server application, to which ssls connects to establish the tunnel
remote-portport on which the server application accepts connections
ca-certificatefile containing the certificate of a trusted certification authority, serving as a trust anchor.
sslc-certificatefile containing client's certificate (optional)
sslc-priv-keyfile containing client's certificate (optional)
name...optional list of authorized subjects.

The architecture of the tunnel is shown below in Figure 1:

Figure 1: Architecture of The SSL Tunnel Mechanism
ssl tunnel

It is not required that sslc and ssls handle multiple tunnels at the same time. In order to test your implementation you may want to use a simple client/server application. I suggest you use a web browser, pointing sslc to any web server, and pointing the web browser to your sslc.

Authentication

The client (sslc) must always authenticate the server (ssls) by:
  1. verifying the server's certificate; and
  2. matching the X.509 common name (CN) of the servers's certificate with either the ssls-host parameter or with the optional ssls-name parameter.

When run with one or more name parameters, the server (ssls) will authenticate the client (sslc) by:

  1. using the client authentication option of the SSL handshake protocol, which requests the client to pass a valid certificate;
  2. verify the client certificate; and
  3. authenticate the client by matching the X.509 common name (CN) of the client's certificate with one of the subject names passed as parameters.

I (Antonio) will be your certification authority. Use this certificate as a trust anchor for both your client and server. In order to obtain valid certificates for your implementation, you must create certificate requests and send them to me by e-mail (to [email protected]). I will sign off your requests and return the corresponding X.509 certificate to you (by e-mail.)

Note that if you choose not to implement the optional ssls-name parameter (within the client), then your server certificate must match the host name of the host on which you run the server, since you are using the ssls-host parameter both as an address and a name.

Implementation Requirements

You must program this assignment in C or in C++, using a recent version of the OpenSSL library. Your code must be compatible with a recent version of the GNU gcc/g++ compiler (either 2.9x or 3.x). You may also use the utility program that comes with OpenSSL library to create your certificate requests.

You must turn in your assignment in a single package, in the form of a TAR file (compressed with gzip if you like) or a ZIP file. Please, include the following in your package:

Please, do not include the OpenSSL library in your package.

You must send the package as a MIME-compatible attachment to [email protected].