Re: [asio-users] [EXTERNAL] Re: Native Windows ssl::stream support
Brought to you by:
chris_kohlhoff
From: Scott M. <smu...@os...> - 2020-07-21 20:16:45
|
Hello, The Windows Secure Socket extensions are a way to negotiate using the IPsec services for network connections. It does not use TLS, but it looks like it would be trivial to plug this IPsec negotiation straight into ASIO by invoking the secure socket extension calls on your sockets before handing them off to ASIO, and then checking to see what kind of properties the IPsec channels have after the connections succeed. The Schannel methods are transport agnostic, so it should be possible to use these in ASIO just like OpenSSL. The only real gotchas in Schannel involve making certain that the use patterns are correct- the buffer set-up, renegotiation and shutdown are all handled properly. There is documentation for these, but it is tricky to navigate and the samples are strange (everything is under the same SSPI umbrella). Microsoft documentation in this arena is very sparse and only really makes sense if you are referring to a working sample. If you can find the Windows 2000 SDK, you'll find some complete (more or less) samples that implement an Schannel client and server. I've worked with this quite a bit in the past, so I could probably help with this some, time permitting. Best regards, M. Scott Mueller Staff engineer- ACME team (communications and fundamental types) OSIsoft, LLC -----Original Message----- From: Kasper Laudrup <la...@st...> Sent: Tuesday, July 21, 2020 9:38 AM To: asi...@li... Subject: [EXTERNAL] Re: [asio-users] Native Windows ssl::stream support Caution: This email came from outside the company. ______________________________________________________________________ On 21/07/2020 18.08, Vinnie Falco wrote: > > Well, I still think it is worth discussing with other folks, as this > can only help to inform your efforts. > Of course. I appreciate the help I can get. > How does Windows TLS work? Is it buffer-oriented? Or does Windows > control the socket? The answer to this question will have dramatic > influence on how your code is designed. If Windows wants to control > the socket, it will require more finesse and understanding of Asio to > author an I/O object that implements Windows TLS. > As far as I can tell, both options are supported. You can either make Windows control the socket: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microsoft.com_en-2Dus_windows_win32_winsock_using-2Dsecure-2Dsocket-2Dextensions&d=DwICAg&c=rxxrGm2iek7pTJSSe1mAiw&r=5upJxiFcubzQpxbhINWH-YRVUQOICqCqDS6nudbYCog&m=ysNPt32sac-Xm_jZPu-PyhFvXoZ0CNU7n2LOhku2kPQ&s=LQ8QPC7nI9lEtUXK5MpJTBlZrBNAqlHe8VawMuEtHYs&e= Or use SChannel as a wrapper around an existing socket: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microsoft.com_en-2Dus_windows_win32_secauthn_using-2Dsspi-2Dwith-2Da-2Dwindows-2Dsockets-2Dclient&d=DwICAg&c=rxxrGm2iek7pTJSSe1mAiw&r=5upJxiFcubzQpxbhINWH-YRVUQOICqCqDS6nudbYCog&m=ysNPt32sac-Xm_jZPu-PyhFvXoZ0CNU7n2LOhku2kPQ&s=cXlJKNwADtsI5G0IL7LoIJJa5PsOA1sP0HB31yEQOYE&e= I was planning to look into the SChannel approach as that seems closest to how the OpenSSL implementation works. Kind regards, Kasper Laudrup _______________________________________________ asio-users mailing list asi...@li... https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_asio-2Dusers&d=DwICAg&c=rxxrGm2iek7pTJSSe1mAiw&r=5upJxiFcubzQpxbhINWH-YRVUQOICqCqDS6nudbYCog&m=ysNPt32sac-Xm_jZPu-PyhFvXoZ0CNU7n2LOhku2kPQ&s=epSZDACk8AX1j9elzqbDb_YCj5u4428Rl1Mo1JNeOyI&e= _______________________________________________ Using Asio? List your project at https://urldefense.proofpoint.com/v2/url?u=http-3A__think-2Dasync.com_Asio_WhoIsUsingAsio&d=DwICAg&c=rxxrGm2iek7pTJSSe1mAiw&r=5upJxiFcubzQpxbhINWH-YRVUQOICqCqDS6nudbYCog&m=ysNPt32sac-Xm_jZPu-PyhFvXoZ0CNU7n2LOhku2kPQ&s=FeDTmx2mGsUn6CwJ4zETO9Z7B6s-ZkLyGCTwkvzldM8&e= |