Assignment 9 cns06 revised: 9/20/06 Assigned: 10/31/06 Due: 6:00pm 11/18/06 Objective: SSL and ncp Points: 25 Create an SSL version of the ncp client. We don't need all the authenticators, hashing, encryption, and D-H of assignments 4, 7, and 8. So the packet structure is much simpler, a new ncp.h. See starter files and use the *.pem files in ~dunigan/cns06/ncp-ssl/ Also see class lecture notes, O'Reilly book on OpenSSL and its chapter 5 examples in ~dunigan/cns06/ncp-oreilly/ ( 5) 1. Create your client public/private key and certificate. Edit client.cnf and change all occurrences of FIXME@cs.utk.edu to your email address. Change the commonName line to your name. Use the following commands to create your key and have the key "signed" by the root CA openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem -config client.cnf -reqexts req_extensions -days 365 openssl x509 -req -in clientreq.pem -sha1 -extfile client.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem cat clientcert.pem clientkey.pem rootcert.pem > client.pem The "password" for the root CA private key is test Your public/private key and X509 cert are now in client.pem Use test as your passphrase for your client key, too, so the TA can test your code. (15) 2. Modify the client program in ~dunigan/cns06/ncp-ssl to use SSL. My server is expecting your client to provide a certificate (see 1 above). Your client should use rootcert.pem from ~dunigan/cns06/ncp-ssl/ to verify the server's certificate. Your client will need to setup the SSL context as discussed in class (and see examples in ~dunigan/cns06/ssl-oreilly). You'll need to associate the SSL context with the BIO connection. After the SSL_connect() you must make sure SSL validated the server's cert using SSL_get_verify_result(), and you will need to have set a call_back for SSL_get_verify_result() to get more detailed error feedback on failures. Replace the BIO_read/write with SSL_read/write. Since SSL_read() reads an SSL record at a time, you can get rid of readblock() and use SSL_read() in its place. Don't forget to check all return values from SSL functions. Don't forget to add the usual documentation to your program. ( 5) 3. Test your client with whisper.cs.utk.edu a) the server on port 4324 should work, test with ncp-ssl 4324 xx.tmp whisper.cs.utk.edu:out.tmp ncp-ssl 4324 whisper.cs.utk.edu:in.tmp tmp Paste what gets written into your file by the previous command into your ANSWERS file. b) test again but use port 4325, what error does your client report? Paste the error message into your ANSWERS file. c) test again but use port 4326, what error does your client report? Paste the error message into your ANSWERS file. Put your answers in a file called ANSWERS in a directory with your source code, *.pem files, Makefile and then use 594cns_submit to submit the ANSWER file and your SSL program source to the TA.