Re: [9fans] tlssrv

Re: [9fans] tlssrv

[Russ Cox]

before we switched over to the kernel driver,
we had a tlsclient.  it was only used for debugging
and never got ported over.  here's one way you might
go about implementing it.

the hard part about tlsclient is what the interface
should be.  maybe the stunnel guys have it all
figured out and i'm just being dense.  i think my
current approach is a bit awkward, but i don't have
a better idea.

	g% tlsclient -t /sys/lib/tls/mail tcp!204.178.31.2!imaps /bin/rc -c 'cat >/dev/cons'
	* ok achille.cs.bell-labs.com IMAP4rev1 server ready

it's a bit clunky.

#include <u.h>
#include <libc.h>
#include <mp.h>
#include <libsec.h>

void
usage(void)
{
	fprint(2, "usage: tlsclient [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] dialstring cmd args...\n");
	exits("usage");
}

void
main(int argc, char **argv)
{
	int fd, netfd;
	uchar digest[20];
	TLSconn conn;
	char *addr, *file, *filex;
	Thumbprint *thumb;

	file = nil;
	filex = nil;
	thumb = nil;
	ARGBEGIN{
	case 't':
		file = EARGF(usage());
		break;
	case 'x':
		filex = EARGF(usage());
		break;
	default:
		usage();
	}ARGEND

	if(argc < 2)
		usage();

	if(filex && !file)
		sysfatal("specifying -x without -t is useless");
	if(file){
		thumb = initThumbprints(file, filex);
		if(thumb == nil)
			sysfatal("initThumbprints: %r");
	}

	addr = argv[0];

	if((netfd = dial(addr, 0, 0, 0)) < 0)
		sysfatal("dial %s: %r", addr);

	memset(&conn, 0, sizeof conn);
	fd = tlsClient(netfd, &conn);
	if(fd < 0)
		sysfatal("tlsclient: %r");
	if(thumb){
		if(conn.cert==nil || conn.certlen<=0)
			sysfatal("server did not provide TLS certificate");
		sha1(conn.cert, conn.certlen, digest, nil);
		if(!okThumbprint(digest, thumb)){
			fmtinstall('H', encodefmt);
			sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
		}
	}
	free(conn.cert);
	close(netfd);

	dup(fd, 0);
	dup(fd, 1);
	if(fd > 1)
		close(fd);

	exec(argv[1], argv+1);
	sysfatal("exec: %r");
}

Re: [9fans] tlssrv

[Christopher Nielsen]

On Mon, Jun 17, 2002 at 09:47:45AM -0400, Russ Cox wrote:
> you could use the Official Unix Encryption Solution,
> which is to tunnel vnc through ssh.  in this case,
> run sshnet to your freebsd box and then just
> vncv 127.0.0.1:n
>
> of course, sshnet seems not to like it when you do
> that, but figuring that out seems simplest of the
> solutions proposed so far.

Something about ssh doesn't sit right with me. The
protocol is overly complex, imo. I think ssl/tls is
a better way to go. It just feels like a more general
solution.

It's a shame that ssl-wrapped services didn't take
off in the UNIX world the way that ssh did.

--
Christopher Nielsen - Metal-wielding pyro techie
"Those who are willing to trade freedom for security deserve
 neither freedom nor security." --Benjamin Franklin

Re: [9fans] tlssrv

[Christopher Nielsen]

On Mon, Jun 17, 2002 at 12:08:31PM +0100, nigel@9fs.org wrote:
> To my mind, tlssrv equals stunnel server mode.
>
> Thus, a tlsclient program equivalent to stunnel -c would
> seem to be the next step.

That makes a lot more sense than extending tlssrv to
handle stunnel -c. I'll have a go at it this week.

--
Christopher Nielsen - Metal-wielding pyro techie
"Those who are willing to trade freedom for security deserve
 neither freedom nor security." --Benjamin Franklin

Re: [9fans] tlssrv

[Russ Cox]

you could use the Official Unix Encryption Solution,
which is to tunnel vnc through ssh.  in this case,
run sshnet to your freebsd box and then just
vncv 127.0.0.1:n

of course, sshnet seems not to like it when you do
that, but figuring that out seems simplest of the
solutions proposed so far.

russ

Re: [9fans] tlssrv

[nigel]

[-- Attachment #1: Type: text/plain, Size: 135 bytes --]

To my mind, tlssrv equals stunnel server mode.

Thus, a tlsclient program equivalent to stunnel -c would
seem to be the next step.

[-- Attachment #2: Type: message/rfc822, Size: 2546 bytes --]

From: Christopher Nielsen <cnielsen@pobox.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] tlssrv
Date: Mon, 17 Jun 2002 09:14:27 GMT
Message-ID: <16c222b6.0206141730.352cb2c2@posting.google.com>

On a related note, tlssrv seems to be aimed at wrapping
the server side in tls.

In my quest to secure all of my traffic via encrypted
connections, I'd like to wrap my vnc connections from my
Plan 9 terminal to my FreeBSD server in tls/ssl. There
doesn't appear to be anything currently available to do
so, unless I'm missing something about tlssrv.

It'd be easy enough to teach vncv to speak tls/ssl, but
it might be better to solve the problem with a sort of
tls/ssl wrapper like stunnel (http://www.stunnel.org/).

Options I see:

o teach vncv to use tls/ssl
o teach tlssrv to behave like stunnel
o write a new tool to do what tlssrv does but on the
  client side

I'm thinking that teaching tlssrv to operate this way
would be the way to go, but I'd like some feedback on
what others think about this before I write the code.

Thoughts?

--
Christopher Nielsen - Metal-wielding pyro techie
"Those who are willing to trade freedom for security deserve
 neither freedom nor security." --Benjamin Franklin

Re: [9fans] tlssrv

[Christopher Nielsen]

On a related note, tlssrv seems to be aimed at wrapping
the server side in tls.

In my quest to secure all of my traffic via encrypted
connections, I'd like to wrap my vnc connections from my
Plan 9 terminal to my FreeBSD server in tls/ssl. There
doesn't appear to be anything currently available to do
so, unless I'm missing something about tlssrv.

It'd be easy enough to teach vncv to speak tls/ssl, but
it might be better to solve the problem with a sort of
tls/ssl wrapper like stunnel (http://www.stunnel.org/).

Options I see:

o teach vncv to use tls/ssl
o teach tlssrv to behave like stunnel
o write a new tool to do what tlssrv does but on the
  client side

I'm thinking that teaching tlssrv to operate this way
would be the way to go, but I'd like some feedback on
what others think about this before I write the code.

Thoughts?

--
Christopher Nielsen - Metal-wielding pyro techie
"Those who are willing to trade freedom for security deserve
 neither freedom nor security." --Benjamin Franklin

Re: [9fans] tlssrv

[nigel]

[-- Attachment #1: Type: text/plain, Size: 146 bytes --]

Oh right. When debugging tlssrv, use two -Ds (to enable dumping).
One -D debugs the handshake, but then messes up the tunnel (don't
know how).

[-- Attachment #2: Type: message/rfc822, Size: 1915 bytes --]

From: nigel@9fs.org
To: 9fans@cse.psu.edu
Subject: [9fans] tlssrv
Date: Fri, 14 Jun 2002 14:34:17 +0100
Message-ID: <d739af4c9f71ed8de5f45ebf70c06d2f@9fs.org>

Trying tlssrv (via tcp993) with Outlook Express I get successful establishment
of the tunnel, but by the look of it no data transfer. This is based on
the log file with tcp993 setting -D for tlssrv and -v for imap4d. I see

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports tls secrets

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports recv HFinished
52bdd00117f027d40ebca361

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports send HFinished
a16de6cbdf068b098317665a

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports tls finished

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports open

: imap4d debugging enabled
* ok cpu.9fs.org IMAP4rev1 server ready

and then Outlook Express times out.

Any hints on how to debug this?

[9fans] tlssrv

[nigel]

Trying tlssrv (via tcp993) with Outlook Express I get successful establishment
of the tunnel, but by the look of it no data transfer. This is based on
the log file with tcp993 setting -D for tlssrv and -v for imap4d. I see

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports tls secrets

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports recv HFinished
52bdd00117f027d40ebca361

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports send HFinished
a16de6cbdf068b098317665a

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports tls finished

cpu Jun 14 13:37:18 192.168.100.111!1104 tls reports open

: imap4d debugging enabled
* ok cpu.9fs.org IMAP4rev1 server ready

and then Outlook Express times out.

Any hints on how to debug this?