TLS-SRP in OpenSSL
From Trusted HTTP
- TLS-SRP is in OpenSSL 1.0.1, which has not yet been released. Download a snapshot of OpenSSL 1.0.1 at ftp://ftp.openssl.org/snapshot/.
- Patch to OpenSSL 1.0.1 for RFC 5054 compatibility: http://trustedhttp.org/openssl-1.0.1+tls-srp-rfc5054-20110504.patch (This patch has been submitted to the OpenSSL request tracker.)
 Create an SRP passwd file
# create a new empty file touch passwd.srpv openssl srp -srpvfile passwd.srpv -gn 1536 -add jsmith # enter password twice # check to make sure it worked openssl srp -srpvfile passwd.srpv -modify jsmith # you'll be prompted for your old password and can then change to a new password # if you set a new password, then this will use the 8192-bit modulus, which # GnuTLS seems to have trouble with. So, ctrl-C out of this or restore the old passwd.srpv # that you had before this -modify step.
 Run a sample OpenSSL SRP server
openssl s_server -srpvfile passwd.srpv -tls1 -cipher SRP -cert server.crt -key server.key -www
Then you can connect to the server on port 4433:
gnutls-cli --srpusername user --srppasswd secret 127.0.0.1 -p 4433 # type "GET /" <enter>
 openssl_helper in Chromium
openssl_helper, run the following (once you've compiled Chrome):
out/Debug/openssl_helper open-socket tls-srp --srpv-file net/data/ssl/certificates/ok.srpv --port 4443
Then connect to localhost:4443 with username "user" and password "secret". You can type "whoami" followed by <ENTER>, and it'll spit out your username. (The server exits after each connection.)
To see the source code of Chrome's
src/net/test/openssl_helper.cc in the Chrome source dir.
- If you have an OpenSSL daily snapshot installed in /usr/local, then you need to edit /usr/local/include/openssl/srp.h to remove the last two
consts in the SRP_create_verifier function prototype. It should look like:
char *SRP_create_verifier(const char *user, const char *pass, char **salt, char **verifier, char *N, char *g);