TLS-SRP in OpenSSL

From Trusted HTTP

Jump to: navigation, search

Contents

[edit] Tutorial

[edit] Create an SRP passwd file

# create a new empty file
touch passwd.srpv
 
openssl srp -srpvfile passwd.srpv -gn 1536 -add jsmith
# enter password twice
 
# check to make sure it worked
openssl srp -srpvfile passwd.srpv -modify jsmith
# you'll be prompted for your old password and can then change to a new password
# if you set a new password, then this will use the 8192-bit modulus, which 
# GnuTLS seems to have trouble with. So, ctrl-C out of this or restore the old passwd.srpv
# that you had before this -modify step.

[edit] Run a sample OpenSSL SRP server

openssl s_server -srpvfile passwd.srpv -tls1 -cipher SRP -cert server.crt -key server.key -www

Then you can connect to the server on port 4433:

gnutls-cli --srpusername user --srppasswd secret 127.0.0.1 -p 4433
# type "GET /" <enter>

[edit] openssl_helper in Chromium

For Chromium's openssl_helper, run the following (once you've compiled Chrome):

out/Debug/openssl_helper open-socket tls-srp --srpv-file net/data/ssl/certificates/ok.srpv --port 4443

Then connect to localhost:4443 with username "user" and password "secret". You can type "whoami" followed by <ENTER>, and it'll spit out your username. (The server exits after each connection.)

To see the source code of Chrome's openssl_helper, open src/net/test/openssl_helper.cc in the Chrome source dir.

[edit] Notes

  • If you have an OpenSSL daily snapshot installed in /usr/local, then you need to edit /usr/local/include/openssl/srp.h to remove the last two consts in the SRP_create_verifier function prototype. It should look like:
char *SRP_create_verifier(const char *user, const char *pass, char **salt,
                          char **verifier, char *N, char *g);
Personal tools