Cryptography Reference
In-Depth Information
well if the client waited for the server to send its fi nished message fi rst, but it's
critical that they both agree on the order for interoperability.
The
send_finished
code from Listing 6-48 can be used almost as is; the only
difference between a client fi nished and a server fi nished is that the label input
to the PRF by the server is the string
“server finished”
, rather than the string
“client finished”
. This necessitates one small change to the
send_finished
function shown in Listing 7-20.
Listing 7-20:
“tls.c” send_fi nished with server support
static int send_finished( int connection,
TLSParameters *parameters )
{
unsigned char verify_data[ VERIFY_DATA_LEN ];
compute_verify_data(
parameters->connection_end == connection_end_client ?
“client finished” : “server finished”,
parameters, verify_data );
And that's it. Everything else continues on just as it would have if this were a
client connection; TLS doesn't care which endpoint you are after the handshake
is complete.
You can run this
ssl_webserver
and connect to it from a standard browser;
the response is the simple “Nothing here” message that was hardcoded into it.
You'll have problems with Firefox and IE, unfortunately, because they (still!)
try to negotiate an SSLv2 connection before “falling back” to TLS 1.0. Most TLS
implementations are set up to recognize and reject SSLv2 connections; this one
simply hangs if an SSLv2 connection request is submitted. Of course, the HTTPS
client from Chapter 6 should connect with no problems.
You can (and should!) disable SSLv2 support within IE8:
1. Go to Tools Internet Options Advanced, and scroll down to the
Security section.
2. Uncheck the boxes Use SSL 2.0 and Use SSL 3.0
3. Check the Use TLS 1.0 box, which is unchecked by default. Your Internet
Options should look like Figure 7-4.
You should now be able to run the
ssl_webserver
example and connect to
it from your browser. The page just states “Nothing here,” but if you're feeling
adventurous, you can easily change this to display anything you can think of.
If you run into otherwise inexplicable problems, ensure that the certifi cate
fi le and the key fi le match. It's very easy to accidentally change a certifi cate fi le
and forget to change the key fi le. One way to ensure that you've got the right
key fi le for your certifi cate fi le is to compare the RSA moduli of each. If they're
the same, the fi les are matches.
Search WWH ::
Custom Search