Secure Sockets

Björnke von Gierke bvg at mac.com
Wed Oct 15 12:59:29 EDT 2014 

Hi all

I'm rather uneducated with encryption stuff, so I wanted to try out secure sockets. However, most likely due to my incapability to understand what I'm doing, I've been unable to get a simple example working.

I've used my own "simplest socket client/server" stacks from rev online, ran them in two different LC instances (because LC locks up if you do server and client in the same executable), and then I modified them to use secure stuff.

First I simply set the client to use "open secure socket to...". Funnily this would show what I assumed where encrypted handshake messages on the server side (gibberish). But of course I have no Idea about how to decrypt those, plus, that's probably not how things should work.

I then Added a "secure" to the server side by using "accept secure sockets on..." which would actually result in a connection (note: "secure" is undocumented for "accept" so I have made a bug report in regards to that, because it seems to work just fine.) However, If I then try to send a message from the client to the server, it fails with these errors on their respective ends:

client: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
server: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I assume that I am using the commands correctly, but that I guess I do need to specify the server to use a certificate?

Questions Galore!

- Has anyone done secure sockets with both server and client implemented in LC (or just the server)?
- Is it possible to do a secure connection as CLIENT, when the certificate does not exist or remains unspecified on the client side? (I assume this is when I need to specify "without verification")?
- Is it possible to do a secure SERVER and not specify a certificate or a key on the server side? I guess not, but Is it possible to let LC do certificates and keys for me behind the curtains?
- I'm testing on mac os x, so I can create a certificate using Keychain.app. What settings would I need to do there?
- Is it insecure to issue a certificate for 127.0.0.1 (localhost)?
- If I got a certificate that is applicable, how do I tell LC to use it as my server certificate?
- SSLv3 Is deemed insecure. In case I ever get anything working, how can I disable SSL completely, and force my connections to always use TLS or even only TLSv1.2?
- How about any of the other minuteas of cypher selection and key exchange, how can I do that manually? should I do that manually?

Thank you for any information, and feel free to answer any questions even if only partially or guesswork. Also feel free to answer questions which I neglected to ask. If I ever get this to work, and have some basic comprehension, I'll make a lesson at lessons.runrev.com, so everyone can benefit in the future.

cheers
Björnke

-- 

Use an alternative Dictionary viewer:
http://bjoernke.com/bvgdocu/

Chat with other RunRev developers:
http://bjoernke.com/chatrev/

More information about the use-livecode mailing list