EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to check whether the connecting client is a ssl client

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
Posted: 04/24/2006 03:52:10
by michael ullrich (Basic support level)
Joined: 04/24/2006
Posts: 1


I have the following problem. I have a ssl server and want to catch if a tcp (non ssl) client is connecting.

Rencently I am using the following code:
m_ClientSocket.BeginReceive(m_inBuffer, m_inBufferOffset, _
m_inBuffer.Length - m_inBufferOffset, 0, _
New AsyncCallback(AddressOf AsyncReceiveCallback), m_ClientSocket)

m_SecureServer.CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_RC4_MD5) = True
Do While Not m_SecureServer.Active

How can I check whether the connecting client is a ssl client?


Posted: 04/24/2006 04:19:19
by Ken Ivanov (EldoS Corp.)

How can I check whether the connecting client is a ssl client?

You should cache the first packet received from the client side and perform its analisys before passing it to ElSecureServer instance. The incoming packet may be either an SSL2 or SSL3/TLS1 packet. In case of SSL3/TLS1 packet you need to check if the first three bytes are:
0x16, 0x03, 0x01 for TLS1,
0x16, 0x03, 0x00 for SSL3.

The case of SSL2 packet is more difficult, since SSL2 packets do not include any protocol-specific identifiers. ElSecureServer uses the following code to detect if the first received packet is a valid SSL2 packet (Delphi code):
FInBufferNeeded := ((FInBuffer[0] and $7F) shl 8) or
if FInBufferNeeded > 400 then
  // not a valid SSL hello message
  // ...

So, we recommend you to use the following approach to check if the first incoming packet is an SSL handshake packet:
1. Get the first 3 bytes from the incoming stream,
2. Compare them with TLS1 and SSL3 identifiers,
3. If (2) failed (i.e., the incoming data is neither SSL3 nor TLS1 packet), perform the SSL2 comparison using the first two bytes.



Topic viewed 6093 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!