TLS encryption for Client/Server IPv6/IPv4 communication

What is ucspi-ssl?

sslserver, sslclient, and sslhandle are command-line tools for building SSL client-server applications. They conform to the UNIX Client-Server Program Interface, UCSPI.

sslserver listens for IPv6 and/or IPv4 connections, and runs a program for each connection it accepts. The program environment includes variables that hold the local and remote host names, IP addresses, and port numbers. sslserver offers a concurrency limit on acceptance of new connections, and selective handling of connections based on client identity supporting CIDR IP address notation. sslserver supports STARTTLS and STLS.

sslclient requests a connection to either a IPv6 or IPv4 TCP sockets, and runs a program. The program environment includes the same variables as for sslserver.

Sources

• ucspi-ssl 0.95b [MD5 = a9fd37da2dd68861a3ff6bb9f1589364]
• ucspi-ssl 0.94 [MD5 = dace7f8151eefcd21e37cc9f8d28b122]
• ucspi-ssl 0.84 (IPv4 only) [MD5 = 3a3347d1b80e9962a0bab49b0b4d8692]
• ucspi-ssl Doxygen documentation

History

ucspi-ssl 0.95 is a fork of Superscript's ucspi-ssl 0.70 version, including

• Scott Gifford's STARTTLS extensions,
• certificate chaining support,
• SubAltName recognition for FQDN verification, and
• CIDR support for the cdb to filter IPv4/IPv6 connections.
• IPv6 enhancements are taken mainly from Felix von Leitner.
  Note: Due the IPv6 support, the command-line arguments for the respective programs are slightly changed.
• ucspi-ssl 0.93 is streamlined with ucspi-tls6 1.00
• ucspi-ssl 0.94 provides for sslserver an extended client (user) X.509 cert support.
• ucspi-ssl 0.95 allows sslserver to log the SSL protocol and cipher settings by means of option -V:
  @4000000054b2cd36310b0fb4 sslserver: ssl 20791 accept TLSv1:AES128-SHA
  While SSL negotation is disabled by default (prevent Poodle bug), TLSv1 can be switched off prior of compilation modifying the file ucspissl.h.
• ucspi-ssl-0.95b detects automatically the AMD64 environment and in addition the support for dynamic load libraries as required by some Linux systems.

ucspi-ssl 0.95 provides a high-level programming interface for OpenSSL which is mandatory to achieve Spamcontrol's STARTTLS support for qmail.
This is facilited by means the lib ucspissl.a (after compilation; located in ./compile) and the header file ucspissl.h. In order to achieve backward compatibility with Spamcontrol 2.6, both files have to be copied (locally) to ssl.a and ssl.h respectively, prior of compiling Spamcontrol.

In oder to use ucspi-ssl, you need to install as a dependency to generate the cdb ucspi-tcp6 (tcprules). Older versions, i.e. ucspi-tcp-0.88 can be used, but don't provide neither CIDR nor IPv6 support for the cdb.

How to install ucspi-ssl

ucspi-ssl uses D.J. Bernstein's /package conventions for installation. Typically, un-tar the archive under /package, change to host/superscript.com/net/ucspi-ssl-<version> and call package/install would be enough.
ucspi-ssl is pre-packaged to suite the AMD64 environment.
Depending on your Perl settings, you rather succeed with package/install base and package/man for the additional man-pages.

Note: The additional Perl module and the available tests package/rts may not succeed on every Unix plattform.

Description of the programs

Client and Servers:

• The sslserver program
• The sslclient program

Dependencies

In oder to build the cdb to control incoming connetions for sslserver, the program tcprules is required which comes with the ucspi-tcp6 package. Older versions of ucspi-tcp can be used as well, but don't provide neither IPv4 CIDR nor IPv6 capabilities. The generated cdb however, is binary compatible among all versions.

General information

• My SMTP and Transport Layer Security (TLS) tutorial.
• The ucspi-ssl environment variables (outdated; not working anymore).
• The ucspi-ssl protocol description (outdated; not working anymore).
• Scott Gifford's STARTTLS UCPI-SSL extension.

Translations:

• A polish translation provided by Daniela Milton can be found here.
• A french translation done by Silvia Moraru can be found here.

Note: These sites may refer outdated versions of ucspi-ssl.

Security information

Since ucspi-ssl depends on OpenSSL, it is inherently affected by bugs and flaws in here. Thus, please check for CVEs. In case you need to upgrade the OpenSSL libs, proceed as follows:

• Install the updated version of OpenSSL from you *NIX repository -- or --
• install the OpenSSL sources from the source. Make sure to use the same path as your original installation. Typically, the required header files are expected in /usr/include/openssl.
• Check for your ucspi-ssl source directory; usually /package/host/superscript/net/ucspi-ssl-x.yz.
• Remove the directory ./compile and re-run package/install. This will link ucpsi-ssl with the new OpenSSL version.

Note: Though ucspi-ssl did suffer from the Heartbleed bug in OpenSSL it is very unlikely that this could have exploited for security relevant information. sslserver in particular raises a new address space (and containing the vulnerable SSL context) for each new connection and IP. In this sense, sslserver mitigates your risks.

---

• [FEHCom]
• [Impressum]
• [News]
• [top]