EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to check whether the connecting client is a ssl client

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#49
Posted: 04/24/2006 03:52:10
by michael ullrich (Basic support level)
Joined: 04/24/2006
Posts: 1

Hi,

I have the following problem. I have a ssl server and want to catch if a tcp (non ssl) client is connecting.

Rencently I am using the following code:
m_ClientSocket.BeginReceive(m_inBuffer, m_inBufferOffset, _
m_inBuffer.Length - m_inBufferOffset, 0, _
New AsyncCallback(AddressOf AsyncReceiveCallback), m_ClientSocket)

m_SecureServer.CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_RC4_MD5) = True
m_SecureServer.Open()
Do While Not m_SecureServer.Active
System.Threading.Thread.Sleep(100)
Loop

How can I check whether the connecting client is a ssl client?

Thanks

Mike
#50
Posted: 04/24/2006 04:19:19
by Ken Ivanov (EldoS Corp.)

Quote
How can I check whether the connecting client is a ssl client?

You should cache the first packet received from the client side and perform its analisys before passing it to ElSecureServer instance. The incoming packet may be either an SSL2 or SSL3/TLS1 packet. In case of SSL3/TLS1 packet you need to check if the first three bytes are:
0x16, 0x03, 0x01 for TLS1,
0x16, 0x03, 0x00 for SSL3.

The case of SSL2 packet is more difficult, since SSL2 packets do not include any protocol-specific identifiers. ElSecureServer uses the following code to detect if the first received packet is a valid SSL2 packet (Delphi code):
Code
FInBufferNeeded := ((FInBuffer[0] and $7F) shl 8) or
        FInBuffer[1];
if FInBufferNeeded > 400 then
begin
  // not a valid SSL hello message
  // ...
end;

So, we recommend you to use the following approach to check if the first incoming packet is an SSL handshake packet:
1. Get the first 3 bytes from the incoming stream,
2. Compare them with TLS1 and SSL3 identifiers,
3. If (2) failed (i.e., the incoming data is neither SSL3 nor TLS1 packet), perform the SSL2 comparison using the first two bytes.

Reply

Statistics

Topic viewed 5930 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!