SSL and TLS

New in version 1.9.4.

Botan supports both client and server implementations of the SSL/TLS protocols, including SSL v3, TLS v1.0, and TLS v1.1. The insecure and obsolete SSL v2 is not supported.

The implementation uses std::tr1::function, so it may not have been compiled into the version you are using; you can test for the feature macro BOTAN_HAS_SSL_TLS to check.

TLS Clients

class TLS_Client
TLS_Client(std::tr1::function<size_t, byte*, size_t> input_fn, std::tr1::function<void, const byte*, size_t> output_fn, const TLS_Policy &policy, RandomNumberGenerator &rng)

Creates a TLS client. It will call input_fn to read bytes from the network and call output_fn when bytes need to be written to the network.

size_t read(byte *buf, size_t buf_len)

Reads up to buf_len bytes from the open connection into buf, returning the number of bytes actually written.

void write(const byte *buf, size_t buf_len)

Writes buf_len bytes in buf to the remote side

void close()

Closes the connection

std::vector<X509_Certificate> peer_cert_chain()

Returns the certificate chain of the server

A simple TLS client example:

#include <botan/botan.h>
#include <botan/tls_client.h>
#include "socket.h"

using namespace Botan;

#include <stdio.h>
#include <string>
#include <iostream>
#include <memory>

class Client_TLS_Policy : public TLS_Policy
   {
   public:
      bool check_cert(const std::vector<X509_Certificate>& certs) const
         {
         for(size_t i = 0; i != certs.size(); ++i)
            {
            std::cout << certs[i].to_string();
            }

         std::cout << "Warning: not checking cert signatures\n";

         return true;
         }
   };

int main(int argc, char* argv[])
   {
   if(argc != 2 && argc != 3)
      {
      printf("Usage: %s host [port]\n", argv[0]);
      return 1;
      }

   try
      {
      LibraryInitializer botan_init;

      std::string host = argv[1];
      u32bit port = argc == 3 ? Botan::to_u32bit(argv[2]) : 443;

      printf("Connecting to %s:%d...\n", host.c_str(), port);

      SocketInitializer socket_init;

      Socket sock(argv[1], port);

      AutoSeeded_RNG rng;

      Client_TLS_Policy policy;

      TLS_Client tls(std::tr1::bind(&Socket::read, std::tr1::ref(sock), _1, _2),
                     std::tr1::bind(&Socket::write, std::tr1::ref(sock), _1, _2),
                     policy, rng);

      printf("Handshake extablished...\n");

#if 0
      std::string http_command = "GET / HTTP/1.1\r\n"
                                 "Server: " + host + ':' + to_string(port) + "\r\n\r\n";
#else
      std::string http_command = "GET / HTTP/1.0\r\n\r\n";
#endif

      tls.write((const Botan::byte*)http_command.c_str(),
                http_command.length());

      size_t total_got = 0;

      while(true)
         {
         if(tls.is_closed())
            break;

         Botan::byte buf[128+1] = { 0 };
         size_t got = tls.read(buf, sizeof(buf)-1);
         printf("%s", buf);
         fflush(0);

         total_got += got;
         }

      printf("\nRetrieved %d bytes total\n", total_got);
   }
   catch(std::exception& e)
      {
      printf("%s\n", e.what());
      return 1;
      }
   return 0;
   }

TLS Servers

A simple TLS server

#include <botan/botan.h>
#include <botan/tls_server.h>

#include <botan/rsa.h>
#include <botan/dsa.h>
#include <botan/x509self.h>

#include "socket.h"

using namespace Botan;

#include <stdio.h>
#include <string>
#include <iostream>
#include <memory>

class Server_TLS_Policy : public TLS_Policy
   {
   public:
      bool check_cert(const std::vector<X509_Certificate>& certs) const
         {
         for(size_t i = 0; i != certs.size(); ++i)
            {
            std::cout << certs[i].to_string();
            }

         std::cout << "Warning: not checking cert signatures\n";

         return true;
         }
   };

int main(int argc, char* argv[])
   {
   int port = 4433;

   if(argc == 2)
      port = to_u32bit(argv[1]);

   try
      {
      LibraryInitializer botan_init;
      SocketInitializer socket_init;

      AutoSeeded_RNG rng;

      //RSA_PrivateKey key(rng, 1024);
      DSA_PrivateKey key(rng, DL_Group("dsa/jce/1024"));

      X509_Cert_Options options(
         "localhost/US/Syn Ack Labs/Mathematical Munitions Dept");

      X509_Certificate cert =
         X509::create_self_signed_cert(options, key, "SHA-1", rng);

      Server_Socket listener(port);

      Server_TLS_Policy policy;

      while(true)
         {
         try {
            printf("Listening for new connection on port %d\n", port);

            Socket* sock = listener.accept();

            printf("Got new connection\n");

            TLS_Server tls(
              std::tr1::bind(&Socket::read, std::tr1::ref(sock), _1, _2),
              std::tr1::bind(&Socket::write, std::tr1::ref(sock), _1, _2),
              policy,
              rng,
              cert,
              key);

            std::string hostname = tls.requested_hostname();

            if(hostname != "")
               printf("Client requested host '%s'\n", hostname.c_str());

            printf("Writing some text\n");

            char msg[] = "Foo\nBar\nBaz\nQuux\n";
            tls.write((const Botan::byte*)msg, strlen(msg));

            printf("Now trying a read...\n");

            char buf[1024] = { 0 };
            u32bit got = tls.read((Botan::byte*)buf, sizeof(buf)-1);
            printf("%d: '%s'\n", got, buf);

            tls.close();
            }
         catch(std::exception& e) { printf("%s\n", e.what()); }
         }
   }
   catch(std::exception& e)
      {
      printf("%s\n", e.what());
      return 1;
      }
   return 0;
   }