CHAPTER 7

Adding Server-Side TLS 1.0 Support

The previous chapter examined the TLS protocol in detail from the perspective of the client. This chapter examines the server's role in the TLS exchange. Although you should have a pretty good handle by now on what's expected of the server, the implementation includes a few gotchas that you should be aware of.

The good news is that you can reuse most of the code from the previous chapter; the supporting infrastructure behind encrypting and authenticating is exactly the same for the server as for the client. For the most part, implementing the server's view of the handshake involves sending what the client received and receiving what the client sent. After the handshake is complete, tls_send, tls_recv, and tls_shutdown work exactly as they do on the client side.

Implementing the TLS 1.0 Handshake from the Server's Perspective

You need to have a way to verify the server-side code, so add HTTPS support to the simple web server developed in Chapter 1. The startup and listen routine doesn't change at all. Of course, it's listening on port 443 instead of port 80, but otherwise, the main routine in Listing 7-1 is identical to the one in Listing 1-18.

Listing 7-1: "ssl_webserver.c" main routine

#define HTTPS_PORT 443
...
 local_addr.sin_port = htons( HTTPS_PORT );
...
 while ( ( connect_sock = accept( listen_sock,
                                  ( struct sockaddr * ) &client_addr,
                                  &client_addr_len ) ) != −1 )
 {
   process_https_request( connect_sock );
 }

As you can see, there's ...