HPE NonStop cF SSL Library Reference Manual Part Number: 839769-002 Published: May 2016 Edition: 1.7.1 © Copyright 2015, 2016 by Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website. Acknowledgments Itanium® is a registered trademark of Intel Corporation in the United States and other countries. UNIX® is a registered trademark of The Open Group. Contents Preface 5 What is NonStop cF SSL Library ..................................................................................................................... 5 Understanding the Use of SSL and TLS ........................................................................................................... 5 Who Should Read This Guide .......................................................................................................................... 5 Related Reading ................................................................................................................................................ 6 Document History ............................................................................................................................................. 6 Using NonStop cF SSL Library 7 Overview........................................................................................................................................................... 7 Example Socket code prior to using the NonStop cF SSL Library ......................................................... 7 Client Example Code using NonStop cF SSL Library............................................................................ 8 Server Example Code using NonStop cF SSL Library ........................................................................... 8 Pass-Through Mode ................................................................................................................................ 9 Step by step guide for adding of NonStop cF SSL Library............................................................................... 9 Install NonStop cF SSL Library files...................................................................................................... 9 Include library header file ..................................................................................................................... 10 Initialize the library once ...................................................................................................................... 10 Replace socket and nowait calls with calls to the library ...................................................................... 10 Activate SSL for a given socket............................................................................................................ 11 Error handling ....................................................................................................................................... 11 Bind in the library ................................................................................................................................. 11 Configuration of NonStop cF SSL Library ..................................................................................................... 12 Pass-Through Mode .............................................................................................................................. 12 NonStop cF SSL Library Parameter Reference .................................................................................... 12 Licensing .............................................................................................................................................. 13 Function Reference 14 Replacement of existing calls ......................................................................................................................... 14 SSL_accept1 ......................................................................................................................................... 14 SSL_accept_nw .................................................................................................................................... 14 SSL_accept_nw1 .................................................................................................................................. 14 SSL_accept_nw2 .................................................................................................................................. 14 SSL_bind .............................................................................................................................................. 14 SSL_bind_nw ....................................................................................................................................... 14 SSL_connect_nw .................................................................................................................................. 14 SSL_connect1 ....................................................................................................................................... 15 SSL_connect_nw .................................................................................................................................. 15 SSL_getpeername ................................................................................................................................. 15 SSL_getpeername_nw .......................................................................................................................... 15 SSL_getsockname................................................................................................................................. 15 SSL_getsockname_nw .......................................................................................................................... 15 SSL_getsockopt .................................................................................................................................... 15 HPE NonStop cF SSL Library Reference Manual 3 Contents SSL_getsockopt_nw ............................................................................................................................. 15 SSL_recv .............................................................................................................................................. 15 SSL_recv_nw ........................................................................................................................................ 15 SSL_send .............................................................................................................................................. 15 SSL_send_nw ....................................................................................................................................... 15 SSL_send_nw2 ..................................................................................................................................... 15 SSL_setsockopt..................................................................................................................................... 16 SSL_setsockopt_nw .............................................................................................................................. 16 SSL_shutdown1 .................................................................................................................................... 16 SSL_shutdown_nw ............................................................................................................................... 16 SSL_socket ........................................................................................................................................... 16 SSL_socket_nw .................................................................................................................................... 16 SSL_socket_get_len.............................................................................................................................. 16 SSL_socket_ioctl .................................................................................................................................. 16 SSL_socket_ioctl_nw ........................................................................................................................... 16 SSL_AWAITIOX ................................................................................................................................. 16 SSL_CANCELREQ.............................................................................................................................. 16 SSL_FILE_CLOSE_ ............................................................................................................................ 16 SSL_FILE_COMPLETE_ .................................................................................................................... 16 SSL_SETMODE................................................................................................................................... 17 SSL_SETMODENOWAIT .................................................................................................................. 17 Calls added by NonStop cF SSL Library ........................................................................................................ 17 SSL_init ................................................................................................................................................ 17 SSL_start .............................................................................................................................................. 18 SSL_SetParam ...................................................................................................................................... 18 SSL_get_encryption_method................................................................................................................ 19 SSL_get_last_error_code ...................................................................................................................... 19 SSL_get_last_error_text ....................................................................................................................... 19 Error numbers and Error texts within NonStop cF SSL Library 21 Introduction ..................................................................................................................................................... 21 Errors running as SSL client ........................................................................................................................... 21 Verification of server certificate failed ................................................................................................. 21 No shared cipher suites ......................................................................................................................... 21 Errors running as SSL server .......................................................................................................................... 22 Verification of server certificate failed ................................................................................................. 22 No shared cipher suites ......................................................................................................................... 22 Plain HTTP client connects to HTTPS Server ...................................................................................... 23 Plain TCP/IP client connects to SSL server .......................................................................................... 23 HPE NonStop cF SSL Library Reference Manual 4 Preface What is NonStop cF SSL Library NonStop cF SSL Library is a SSL library which brings the power of comForte's SSL implementation to your existing application on the NonStop platform. After replacing some calls in your application source code with the library's SSL-enabled counterpart and by adding a few lines of code for initialization of the library, NonStop cF SSL Library will SSL-enable your existing application. NonStop cF SSL Library builds upon comForte's proven SSL implementation used in other products, such as HPE NonStop SSL. Understanding the Use of SSL and TLS The use of the words "SSL" and "TLS" can lead to confusion as they are sometimes used interchangeably and sometimes not. Precisely technically speaking, SSL is the predecessor protocol of TLS and started out with SSL version 2.0. The protocol evolved as protocol design vulnerabilities were found and corrected. The successor of SSL 2.0 was SSL 3.0, followed by SSL version 3.1. With 3.1 the SSL protocol had developed to a point where it became clear, that the design wasn't flexible and extensible enough anymore to cope with future requirements. As a result of these limitations, the TLS protocol was developed and introduced. The TLS protocol was designed with backwards compatibility to the SSL protocol in mind and so its original version TLS 1.0 behaves basically in exactly the same way that SSL version 3.1 does. Therefore a notation of SSL 3.1 = TLS 1.0 is commonly found and SSL 3.1 and TLS 1.0 are referred to interchangeably. The SSL protocol was not further enhanced and so the last SSL protocol version is and will remain 3.1. All new enhancement efforts concentrate on extending the TLS protocol nowadays. The TLS protocol has been enhanced in subsequent versions to 1.0 and now TLS 1.1 and TLS 1.2 are standardized. At the time of writing TLS 1.3 is being developed as a new standard, but currently the latest standardized TLS version, TLS 1.2 provides basically everything to create highly secure connections. On the other hand, SSL versions 2.0 and 3.0 are considered as being cryptographically broken and therefore MUST NOT be used anymore. At the time of writing SSL 3.1 / TLS 1.0 are considered to provide good security. For applications where SSL/TLS is to be introduced as a new feature, it is strongly recommend to use TLS 1.2 by default. For applications utilizing earlier versions of TLS, it is strongly recommended to start migrating to TLS 1.2. TLS 1.2 should be the commonly used version by end of year 2016. Speaking about standard industry usage of the terms "SSL" and "TLS", they are used pretty much interchangeably. If not speaking about a specific protocol version, SSL and TLS are assumed to be the same thing, i.e. when people talk/write about "SSL", what they nowadays refer to is basically TLS. Various products, including this product, or also the widely used OpenSSL Library based their names on the original protocol and likely won't change that. However keep in mind that the use of "SSL" in those contexts without a specific version number is referring to both SSL/TLS, respectively in the future to TLS. Who Should Read This Guide This document is for users of the HPE NonStop cF SSL Library product. As this SSL library is used to add SSL capabilities to applications running on the NonStop platform, the audience will most likely consist of developers making use of NonStop cF SSL Library. HPE NonStop cF SSL Library Reference Manual 5 Preface Related Reading NonStop cF SSL Library shares components with other Hewlett Packard Enterprise products; most notably with the component called "SSLOBJ" which is part of HPE NonStop SSL and HPE NonStop cF SSL-AT. This reference manual focuses on the way NonStop cF SSL Library is integrated with your existing code and how this SSL library is configured in general. All details of the Hewlett Packard Enterprise SSL implementation and how to configure it are covered in the • HPE NonStop SSL Reference Manual already and are therefore not documented here. Explicit references to the HPE NonStop SSL Reference Manual are made throughout this document. Document History Version 1.7 The documentation now reflects that Hewlett Packard Enterprise, starting in October 2015, added comForte's original SecurLib/SSL product to the HPE price-book under the product name of NonStop cF SSL Library. Version 1.6 • Support for waited sockets included. • Section on Installation added. • Build instructions update. • Change default MINVERSION to 3.1 to match security recommendation. • Removed compromised values from default CIPHERSUITES and included additional ones; now: 192.20,192.10,0.57,0.56,0.136,0.135,192.25,192.15,192.5,0.53,0.132,192.18,192.8,0.22,0.19,192.23,192.13 ,192.3,0.10,192.19,192.9,0.51,0.50,0.69,0.68,192.24,192.14,192.4,0.47,0.65,192.17,192.7,192.22,192.12,19 2.2,0.5 • Add test certificates to package. • The function SSL_SetParam can now change the following parameters as well: SERVCERT, SERVKEY, LOGLEVELFILE, LOGLEVELEMS, LOGEMS, LOGLEVELCONSOLE, LOGCONSOLE. • The parameter LOGLEVEL has been deprecated. Version 1.5 • Support for the FILE_COMPLETE_ API included. Version 1.4 • The manual documents SecurLib/SSL version 0016 and later • The manual was renamed to “SecurLib/SSL Reference Manual” • The function SSL_SetParam can now change the following parameters as well: CLIENTKEYPASS, CLIENTCERT, CLIENTKEY, LOGLEVEL, LOGFILE Version 1.3 The new function SSL_SetParam has been added. Version 1.2 The manual layout has been changed. Version 1.1 This is the initial version of the manual. HPE NonStop cF SSL Library Reference Manual 6 Using NonStop cF SSL Library Overview NonStop cF SSL Library works by replacing some TCP/IP and system calls in your application with its own calls. The library calls are named identically except for a prefix SSL_; thus AWAITIOX is replaced with a call to SSL_AWAITIOX, send_nw is replaced with a call to SSL_send_nw and so on. Other than having to change those calls in your source code and having to add some initialization calls no more modifications to your source code are necessary. Example Socket code prior to using the NonStop cF SSL Library The following diagram (taken from HPE NonStop TCP/IP Programming Manual) shows how a normal nowaited TCP/IP application on the NonStop platform issues calls to the socket calls and to the AWAITIOX routine: Client Server 1. Optionally, set NonStop TCP/IP or TCP6SAM process name (socket_set_1net_name) 1. Optionally, set NonStop TCP/IP or TCP6SAM process name (socket_set_1net_name) 2. Create a socket (socket_nw, followed by AWAITIOX). 2. Create a socket (socket_nw, followed by AWAITIOX). 3. Optionally, bind the socket to any port (bind_nw, followed by AWAITIOX). 3. Optionally, bind the socket to any port (bind_nw, followed by AWAITIOX). 4. Connect the socket to the server (connect_nw, followed by AWAITIOX) 4. Listen for connections (listen). 5. Accept the connection. a. Accept an incoming connection (accept_nw, followed by AWAITIOX) b. Create a new socket (socket_nw) with (flags & 0200) nowait set. c. Call AWAITIOX, followed by SETMODE 30, followed by AWAITIOX d. Accept the new connection on the new socket (accept_nw2, followed by AWAITIOX). 5. Start data transfer (send_nw and/or recv_nw, followed by AWAITIOX, usually in a loop). 6. Start data transfer on the new socket (recv_nw and/or send_nw, followed by AWAITIOX, usually in a loop). 6. Optionally, shut down the socket (shutdown_nw, followed by AWAITIOX). 7. Optionally, shut down one or both sockets (shutdown_nw, followed by AWAITIOX). 7. Close the socket (CLOSE or FILE_CLOSE_). 8. Close the socket (CLOSE or FILE_CLOSE_). Table: TCP – Nowait Client and Server Steps After having changed the application to make use of the NonStop cF SSL Library, the sequence of code will be as shown in the following two sections. HPE NonStop cF SSL Library Reference Manual 7 Using NonStop cF SSL Library Client Example Code using NonStop cF SSL Library Note: Changes for usage of the SSL library are highlighted in yellow. 0. Initialize the library SSL_init(config_file_name, license_file_name, 2, SSL_CLIENT) 1. Optionally, set NonStop TCP/IP or TCP6SAM process name (socket_set_inet_name). 2. Create a socket (SSL_socket_nw, followed by SSL_AWAITIOX). 3. Setmode for any io completion order (SSL_SETMODENOWAIT, followed by SSL_AWAITIOX) 4. Optionally, bind the socket to any port (SSL_bind_nw, followed by SSL_AWAITIOX). 5. Connect the socket to the server (connect_nw, followed by SSL_AWAITIOX). 5a. Call SSL_start to make the library aware this is a client socket SSL_start(socket_fd, SSL_CLIENT) 6. Start data transfer (SSL_send_nw and/or SSL_recv_nw, followed by SSL_AWAITIOX, usually in a loop). 7. Optionally, shut down the socket (SSL_shutdown_nw, followed by SSL_AWAITIOX). 8. Close the socket SSL_FILE_CLOSE_ (note that the usage of CLOSE is not supported) Server Example Code using NonStop cF SSL Library Note: Changes for usage of the SSL library are highlighted in yellow. 0. Initialize the library SSL_init(config_file_name, license_file_name, 2, SSL_SERVER) 1. Optionally, set NonStop TCP/IP or TCP6SAM process name (socket_set_inet_name). 2. Create a socket (SSL_socket_nw, followed by SSL_AWAITIOX). 3. Bind the socket to a well-known port (SSL_bind_nw, followed by SSL_AWAITIOX). 4. Listen for connections (listen). 5. Accept the connection. a. Accept an incoming connection (SSL_accept_nw, followed by SSL_AWAITIOX). b. Create a new socket with (flags & 0200) nowait set. (SSL_socket_nw) c. Call HPE NonStop cF SSL Library Reference Manual 8 Using NonStop cF SSL Library (SSL_AWAITIOX, followed by SSL_SETMODENOWAIT 30, followed by SSL_AWAITIOX). d. Accept the new connection on the new socket (SSL_accept_nw2, followed by SSL_AWAITIOX). e. Call SSL_start to make the library aware this is a server socket SSL_start(socket_fd, SSL_SERVER) 6. Start data transfer on the new socket (SSL_recv_nw and/or SSL_send_nw, followed by SSL_AWAITIOX, usually in a loop). 7. Optionally, shut down one or both sockets (SSL_shutdown_nw, followed by SSL_AWAITIOX). 8. Close the socket SSL_FILE_CLOSE_ (note that the usage of CLOSE is not supported) Pass-Through Mode NonStop cF SSL Library can be configured to run in so-called Pass-Through mode. In Pass-Through Mode, the library will ***not*** add SSL functionality to the calling application. It will instead transparently pass through all calls to their original counterparts. Pass-Through Mode can be configured if there are any problems with SSL which cannot be resolved. By switching Pass-Through-Mode on, the library will not have any effect whatsoever on the calling application. Note that for pass-through mode to work, SSL needs to be turned off in the TCP/IP application which communicates with your TCP/IP application (running on the NonStop platform) as well. Step by step guide for adding of NonStop cF SSL Library NonStop cF SSL Library should be added to your existing source code by following the steps outlined below. Install NonStop cF SSL Library files The NonStop cF SSL Library software is delivered in a ZIP file containing the HPE NonStop_cF_SSL-Lib folder with the following structure: certs contains test certificates and configuration file inc contains include files lib contains library file to be bound with your application, in a subdirectory based on NonStop system type and C++ version - the subdirectory SSL_TNSR_v2_Neutral for S-Series systems, C++ version 2 - the subdirectory SSL_TNSR_v3_Neutral for S-Series systems, C++ version 3 - the subdirectory SSL_TNSE_v2_Neutral for Itanium systems, C++ version 2 - the subdirectory SSL_TNSE_v3_Neutral for Itanium systems, C++ version 3 - the subdirectory SSL_TNSX_v2_Neutral for NonStop X systems, C++ version 2 - the subdirectory SSL_TNSX_v3_Neutral for NonStop X systems, C++ version 3 openssl_shell contains openssl shell for Guardian as type 700, 800 and 500 object file sample_apps contains sample application Transfer the header file SecurLib_ssl.h from the PC location to the location where you are building your application. Make sure the file is transferred in ascii (text) mode. If you are building in the Guardian environment you will need to use a shorter filename, for example comfsslh. Choose the lib subdirectory which matches your machine and C++ version requirements. If you are only using C you may use either version 2 or version 3. Transfer the file seclib.a to the location where you are building your HPE NonStop cF SSL Library Reference Manual 9 Using NonStop cF SSL Library application. Make sure the file is transferred in binary mode. If you are building in the Guardian environment you will need to choose a name without an extension, for example secliba. If you wish to use the default certificates transfer them from the PC location to the host location. Make sure CACERT, SERVCERT and SERVKEY are transferred in binary mode, and SSLCFG is transferred in ascii mode. Include library header file Add the following #include statement to all source files who make socket calls or who call AWAITIOX: #include "comfssl.h" Initialize the library once Call the initialization routine of the library once during your startup code: int result; /* replace filename below with a zero-terminated string pointing to your configuration file */ char *config_file="$DATA1.SSL.SSLCFG"; char *license_file="$DATA1.SSL.LICENSE"; result=SSL_init(config_file,license_file,2); Note that the variable result will contain 0 on successful startup and if SSL is activated. If a value of non-zero is returned, NonStop cF SSL Library will run in "pass-through" mode. Replace socket and nowait calls with calls to the library Edit all your source files containing socket calls or nowait IO calls by replacing the following routines: /* socket calls */ accept[_nw] - note accept becomes SSL_accept1 accept[_nw1] accept2[_nw2] bind[_nw] connect[_nw] - note connect becomes SSL_connect1 getpeername[_nw] getpeername[_nw] getsockname[_nw] getsockname[_nw] getsockopt[_nw] getsockopt[_nw] recv[_nw] send[_nw] send[_nw2] setsockopt[_nw] shutdown[_nw] - note shutdown becomes SSL_shutdown1 socket[_nw] socket_get_len socket_ioctl[_nw] SETMODE[NOWAIT] /* nowait completion calls */ AWAITIOX CANCELREQ FILE_COMPLETE_ /* closing of a socket */ FILE_CLOSE_ with the same routine preceded by the prefix SSL. For example, change result=send_nw(socket,buf,len,0,tag); to result=SSL_send_nw(socket,buf,len,0,tag); If the nowait depth in socket_nw is less than 2 change it to 2. This nowait depth is necessary for the SSL handshake to be completed. If is not a requirement to use a nowait open on the socket (flags & 0200), a waited open is acceptable. HPE NonStop cF SSL Library Reference Manual 10 Using NonStop cF SSL Library Activate SSL for a given socket Call the following routine once after a socket has been fully connected to activate SSL for that socket: int result; int mode=SSL_SERVER; // or SSL_CLIENT, depending on the // SSL nature of the socket result=SSL_start(socket, mode); The call SSL_start has to be made before the first SSL_send_nw or SSL_recv_nw is called for that socket. Note: You can call the routine SSL_start multiple times without causing problems. Depending on the logic of your application, it may be easiest to add a call to SSL_start before each call to recv_nw or send_nw. Error handling Call the following routine after an error has occurred on a socket: long ssl_error; ssl_error=SSL_get_last_error_code(socket); The routine will return an error number detailing the error. It will return 0 if the error returned is a file-system error which should be retrieved by calling FILE_GETINFO_, otherwise it will return one of the error numbers listed in the appendix. See the function reference for a description of the routine SSL_get_last_error_text which returns a more detailed textual description of the last error. Bind in the library Add the library to the bind script for your application. Depending on your existing bind script you may need to add additional HPE libraries required by NonStop cF SSL Library. Guardian based examples for each of the system type and version number combinations are below. S-series, version 3 nld $system.system.crtlmain myobject $build.cfssllib.secliba -o myexe -l zstlsrl -obey $system.system.libcobey S-series, version 2 nld $system.system.crtlmain myobject $build.cfssllib.secliba -o myexe -l zrwslsrl -l zcplsrl -obey $system.system.libcobey Itanium, version 3 eld $system.system.ccplmain myobject $build.cfssllib.secliba -o myexe -l zcppcdll -l zcpp3dll -obey $system.system.libctxt Itanium, version 2 eld $system.system.ccplmain myobject $build.cfssllib.secliba -o myexe -l zcppcdll -l zcpp2dll -obey $system.system.libctxt NonStop X, version 3 xld $system.system.cppmainx $build.cfssllib.secliba -o myexe -l zcppcdll -l zcpp3dll NonStop X, version 2 xld $system.system.cppmainx $build.cfssllib.secliba -o myexe -l zcppcdll -l zcpp2dll After following these steps you will have an executable which will provide SSL functionality on its sockets. HPE NonStop cF SSL Library Reference Manual 11 Using NonStop cF SSL Library Configuration of NonStop cF SSL Library Configuration Overview NonStop cF SSL Library can be configured in two manners: • Through a configuration file, the filename of which being passed to the library when calling SSL_init. • Through PARAMs which the library reads from the environment. NonStop cF SSL Library shares most of its configuration value with the SSLOBJ component mentioned in section "Related Reading". Those settings are described in the HPE NonStop SSL Reference Manual. Note: PARAMs take precedence over entries in the configuration file. Pass-Through Mode The parameter USESSL and the way SSL_Init is called determine if the library runs in pass-through mode. For details see function reference SSL_init. NonStop cF SSL Library Parameter Reference This section describes all available parameters in alphabetical order. For detailed meaning of a parameter please refer to the HPE NonStop SSL Reference Manual. Note that SSLOBJ has more parameters than listed here; those additional parameters are not relevant to the SSL library and will be ignored. Parameter Meaning ALLOWCERTERRORS allows selective overriding of certificate validation errors. Default "0". CACERTS file names of a DER/PEM encoded X.509 CA certificates representing a certificate chain signing the certificate configured with the CLIENTCERT or SERVERCERT parameter. Default "CACERT". CIPHERSUITES list of cipher suites that will be accepted by a process utilizing NonStop cF SSL Library. Please see the HPE NonStop SSL Reference Manual for a detailed description of all supported ciphersuites as well as the default ciphersuites used. CLIENTAUTH Enforces client authentication when running as SSL server; set of root CA / intermediate CA certificates which sign trusted client certificates. CLIENTCERT file name of a DER/PEM encoded X.509 client certificate. Default "*". CLIENTKEY the private key to be used for the client certificate. PKCS#8 encoded DER/PEM. Default "*". CLIENTKEYPASS password for reading the (encrypted) private key file. Default "test". LICENSE the location for the license file of NonStop cF SSL Library. Default "LICENSE". LOGCONSOLE determines if log messages are written to a console. Default "*" (no logging). LOGEMS determines it log messages are written to EMS. Default "*" (no logging). LOGFILE determines if log messages are written to a file. Default "*" (no logging). LOGFORMATCONSOLE controls the format of the log messages written to the console. Default "93". LOGFORMATEMS controls the format of the log messages written to EMS. Default "64". LOGFORMATFILE controls the format of the log messages written to the log file. Default "93". LOGLEVELCONSOLE determines which messages are written to the console. Default "50". LOGLEVELEMS determines which messages are written to EMS. Default "50". LOGLEVELFILE determines which messages are written to the log file. Default "50". LOGMAXFILELENGTH controls the maximum size of the log file. Default "20000". MAXVERSION maximum admissible SSL/TLS protocol version. Default "3.3" (=TLS 1.2). MINVERSION minimum admissible SSL/TLS protocol version. Default "3.1" (=SSL 3.1 = TLS 1.0). SERVCERT file name of a DER/PEM encoded X.509 server certificate. Default "SERVCERT". HPE NonStop cF SSL Library Reference Manual 12 Using NonStop cF SSL Library Parameter Meaning SERVKEY the private key to be used for the server certificate. PKCS#8 encoded DER/PEM. Default "SERVKEY". SERVKEYPASS password for reading the (encrypted) private key file. Default "test". TRUST When running as SSL client: list of trusted CA or server certificate files or fingerprints. When running as SSL server - use PARAM CLIENTAUTH instead. Default "*" USESSL Can be used to switch SSL on or off through the configuration file or PARAMs. Default "1". Licensing NonStop cF SSL Library is licensed through a license file delivered by Hewlett Packard Enterprise. The location of the license file must be supplied to the call of SSL_init. If the license check fails, NonStop cF SSL Library will run in pass-through mode only. HPE NonStop cF SSL Library Reference Manual 13 Function Reference Replacement of existing calls The following calls within NonStop cF SSL Library are replacement of existing calls. All the routines have the exact same syntax and semantics as their original counterpart, see the HPE NonStop documentation for details. Note that the functions accept, connect and shutdown are replaced by SSL_accept1, SSL_connect1 and SSL_shutdown1 respectively. If you are using waited sockets you must use the replacement functions for all of your existing calls. If you are using nowait sockets some of the functions below are new and it is not absolutely necessary to use them. However this is for backwards compatibility and it is recommended that you use the replacement functions when writing new code. The functions that are not strictly required are: SSL_accept_nw, SSL_accept_nw1, SSL_accept_nw2, SSL_bind_nw, SSL_connect_nw, SSL_socket_nw, SSL_SETMODENOWAIT. SSL_accept1 int SSL_accept1 (int, struct sockaddr *, int *) SSL_accept_nw int SSL_accept_nw (int, struct sockaddr *, int *, long) SSL_accept_nw1 int SSL_accept_nw1 (int, struct sockaddr *, int *, long, int) SSL_accept_nw2 int SSL_accept_nw2 (int, struct sockaddr *, long) SSL_bind int SSL_bind (int, struct sockaddr *, int) SSL_bind_nw int SSL_bind_nw (int, struct sockaddr *, int, long) SSL_connect_nw int SSL_connect_nw (int, struct sockaddr *, int, long) HPE NonStop cF SSL Library Reference Manual 14 Function Reference SSL_connect1 int SSL_connect1 (int, struct sockaddr *, int) SSL_connect_nw int SSL_connect_nw (int, struct sockaddr *, int, long) SSL_getpeername int SSL_getpeername (int ,struct sockaddr *,int *) SSL_getpeername_nw int SSL_getpeername_nw (int ,struct sockaddr *,int *,long) SSL_getsockname int SSL_getsockname (int, struct sockaddr *, int *) SSL_getsockname_nw int SSL_getsockname_nw (int, struct sockaddr *, int *, long) SSL_getsockopt int SSL_getsockopt (int , int , int optname, char *, int *) SSL_getsockopt_nw int SSL_getsockopt_nw (int , int , int optname, char *, int *, long) SSL_recv int SSL_recv (int, char *, int, int) SSL_recv_nw int SSL_recv_nw (int, char *, int, int, long) SSL_send int SSL_send (int, char *, int, int) SSL_send_nw int SSL_send_nw2 (int, char *, int, int, long) SSL_send_nw2 int SSL_send_nw2 (int, char *, int, int, long) HPE NonStop cF SSL Library Reference Manual 15 Function Reference SSL_setsockopt int SSL_setsockopt (int , int , int , char *, int) SSL_setsockopt_nw int SSL_setsockopt_nw (int , int , int , char *, int , long) SSL_shutdown1 int SSL_shutdown1(int, int) SSL_shutdown_nw int SSL_shutdown_nw (int, int, long) SSL_socket int SSL_socket (int, int, int) SSL_socket_nw int SSL_socket (int, int, int, int, int) SSL_socket_get_len int SSL_socket_get_len (int) SSL_socket_ioctl int SSL_socket_ioctl (int , int , char *) SSL_socket_ioctl_nw int SSL_socket_ioctl_nw (int , int , char *, long) SSL_AWAITIOX _extensible _cc_status SSL_AWAITIOX (short _far *, long _far *, short _far *, long _far *, long, short _far *) SSL_CANCELREQ _extensible _cc_status SSL_CANCELREQ(short, long) SSL_FILE_CLOSE_ _extensible short SSL_FILE_CLOSE_ (short, short) SSL_FILE_COMPLETE_ _extensible _cc_status SSL_FILE_COMPLETE_(short _far *completion_info, __int32_t timelimit, short _far *complete_element_list, short num_complete_elements, short _far HPE NonStop cF SSL Library Reference Manual 16 Function Reference *error_complete_element); SSL_SETMODE _variable _cc_status SSL_SETMODE(short, short, short, short, short _near *) SSL_SETMODENOWAIT _variable _cc_status SSL_SETMODENOWAIT(short, short, short, short, short _near *, long) (note to writer: SSL_sock_close_reuse_nw has been deliberately removed) Calls added by NonStop cF SSL Library NonStop cF SSL Library provides a couple of additional routines to be called by your application code. This section explains the syntax and semantic of those calls. SSL_init int SSL_init( char * cfg_file, char * license_file, int use_ssl_mode, int ssl_client_or_server ) This routine reads SSL parameters and initializes the library. It should be called one time during startup of your program. It will return 0 only if SSL will be turned on. Parameters: Parameters Meaning cfg_file name of config file or NULL if no config file is available license_file name of license file mode determines if SSL will be turned on or off: mode=0 Value of USESSL will be ignored, SSL will be turned OFF mode=1 Value of USESSL will be ignored, SSL will be turned ON mode=2 Value of USESSL will be used to determine if SSL is turned on or off ssl_client_or_server determines if the library will work as SSL client or server (or both). SSL_SERVER to only run as SSL server, SSL_CLIENT to only run as SSL client (SSL_SERVER | SSL_CLIENT) to run as both Returns: Returns Meaning 0 SSL is turned on -1 SSL is turned off by parameter "mode" passed as 0 -2 SSL is turned off because "mode" was 2 and USESSL was 0 -3 SSL is turned off because the license check failed -4 error initializing SSL, SSL is turned off -5 SSL is turned off because there was an error reading certificates. (File system error larger than zero) configuration file was passed but could not be read; SSL is turned off. The file system error is returned. HPE NonStop cF SSL Library Reference Manual 17 Function Reference SSL_start int SSL_start( int socket, int mode ) This routine starts SSL for a given socket in the given mode. Call this function before issuing the first call to SSL_send, SSL_send_nw, SSL_send_nw2, SSL_recv or SSL_recv_nw on a socket. Parameters: Parameters Meaning socket socket file number mode SSL_SERVER or SSL_CLIENT Returns: Returns Meaning 0 no error error a problem occurred Considerations: This call should always return 0. If it does not, there either is an unexpected problem in NonStop cF SSL Library or there is an error in the way you are calling the library routines. SSL_SetParam char *SSL_SetParam(char *param, char *value); This routine sets configuration parameters programmatically. It has to be called before calling SSL_init. Parameters: Parameters Meaning param the name of the parameter value the value of the parameter Returns: Returns Meaning NULL no error a zero-terminated string describing the error a problem occurred Considerations: The following parameter can be changed using SetParam: • SERVKEYPASS, CLIENTKEYPASS, CLIENTCERT, CLIENTKEY, CACERTS, SERVCERT, SERVKEY, LOGLEVELCONSOLE, LOGLEVELEMS, LOGLEVELFILE, LOGEMS, LOGCONSOLE, LOGFILE • The parameters LOGLEVELCONSOLE, LOGLEVELEMS, LOGLEVELFILE, LOGEMS, LOGCONSOLE and LOGFILE can be changed either before or after SSL_init has been called. The other parameters can only be changed before SSL_init has been called. • For the meaning of the parameters please see section "Parameter_Reference " and/or the "HPE NonStop SSL Reference Manual". HPE NonStop cF SSL Library Reference Manual 18 Function Reference SSL_get_encryption_method char* SSL_get_encryption_method( int socket ) This routine retrieves the current encryption method for a given socket. Parameters: Parameters Meaning socket socket number Returns: Returns Meaning char* contains the string representation of encryption method NULL if no encryption method is active on that socket. Considerations: NULL can be returned for the following reasons: • NonStop cF SSL Library is in "pass-through-mode". • The SSL handshake on that socket has not completed yet. SSL_get_last_error_code int SSL_get_last_error_code(int socket) This routine determines the last SSL error number generated on a given socket. Parameters: Parameters Meaning socket socket number Returns: Returns Meaning 0 no SSL error occurred SSL error number File System error number Considerations: If a socket routine returned an error through AWAITIOX you should retrieve the file system error on that socket with a call to FILE_GETINFO. If that yields no file system error, you should retrieve the SSL error number with a call to SSL_get_last_error_code. You can also retrieve a detailed textual description of the last error within the SSL library by calling SSL_get_last_error_text. See chapter "Error numbers and Error texts" for details on the error numbers. SSL_get_last_error_text char *SSL_get_last_error_code() This routine returns a textual representation of the last problem occurring within the library. Parameters: (none) HPE NonStop cF SSL Library Reference Manual 19 Function Reference Returns: Textual representation of last error occurred within the library. The textual representation is returned as a "C-type" zero-terminated string. See chapter "Error numbers and Error texts" for some examples. Considerations: In contrast to SSL_get_last_error_code, this call returns the last error text for all sockets. HPE NonStop cF SSL Library Reference Manual 20 Error numbers and Error texts within NonStop cF SSL Library Introduction SSL is a complex protocol. Therefore many things can go wrong resulting in many potential errors. Within this appendix, some common error situations are explained and the associated error numbers are listed. The error numbers returned by NonStop cF SSL Library are the standard error numbers used within OpenSSL. If an error number occurs which is not listed in here, Hewlett Packard Enterprise will be able to assist in analysis given the error number. Simple calling SSL_get_last_error_text and logging the textual error message somewhere within your application may prove to be sufficient in a lot of scenarios. This chapter is organized into two sections: the first section lists errors running as SSL client, the second one errors running as SSL server. Note that some error scenarios apply to both cases; however the error numbers and messages will be different. Errors running as SSL client The following errors can occur when NonStop cF SSL Library is used to run as SSL client. Verification of server certificate failed SSL error number: 0x14090086 Full SSL error text: error code: 0x14090086 in I:\openssl\0.9.7a\work1-Win32\ssl\s3_clnt.c in line 843. error text: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Explanation: In SSL, the clients need to authenticate the server; this happens during SSL session setup. If the client decides he does not trust the server he will issue that error message. Remedy: Check server certificate and client configuration. Within NonStop cF SSL Library, the parameter for the client is TRUST. No shared cipher suites SSL error number: 0x14077410 HPE NonStop cF SSL Library Reference Manual 21 Error numbers and Error texts within NonStop cF SSL Library Full SSL error text: error code: 0x14077410 in I:\openssl\0.9.7a\work1-Win32\ssl\s23_clnt.c in line 470. error text: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Explanation: SSL allows configuring so-called cipher-suites both on the client and server. If no matching cipher suites exist between client and server, the server will send an alert and the client will return that error. Remedy: Check client and server configuration. Within NonStop cF SSL Library, cipher suites are configured using the parameter CIPHERSUITES. Errors running as SSL server The following errors can occur when NonStop cF SSL Library is used to run as SSL server. Verification of server certificate failed SSL error number: 0x140940e5 Full SSL error text: error code: error data: error text: unknown error code: error text: 0x14094416 in I:\openssl\0.9.7a\work1-Win32\ssl\s3_pkt.c in line 1052. SSL alert number 46 error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 0x140940e5 in I:\openssl\0.9.7a\work1-Win32\ssl\s3_pkt.c in line 837. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Explanation: In SSL, the clients need to authenticate the server; this happens during SSL session setup. If the client decides he does not trust the server he will send an alert to the server which will in turn report that error number and message. Remedy: Check server certificate and client configuration. Within NonStop cF SSL Library, the parameters for the server are SERVKEY, SERVCERT and CACERTS. No shared cipher suites SSL error number: 0x1408a0c1 Full SSL error text: error code: 0x1408a0c1 in I:\openssl\0.9.7a\work1-Win32\ssl\s3_srvr.c in line 881. error text: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Explanation: SSL allows configuring so-called cipher-suites both on the client and server. If no matching cipher suites exist between client and server, the server will report that error. Remedy: Check client and server configuration. Within NonStop cF SSL Library, cipher suites are configured using the parameter CIPHERSUITES. HPE NonStop cF SSL Library Reference Manual 22 Error numbers and Error texts within NonStop cF SSL Library Plain HTTP client connects to HTTPS Server SSL error number: 0x1407609c Full SSL error text: error code: 0x1407609c in I:\openssl\0.9.7a\work1-Win32\ssl\s23_srvr.c in line 400. error text: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request Explanation: If a new SSL connection is established, the SSL client and server set up the session following a specific protocol. If a normal HTTP requests arrives as the first packet from the SSL client, the SSL server will issue that specific error. Remedy: Make sure the client uses SSL as well. Plain TCP/IP client connects to SSL server SSL error number: 0x140760fc Full SSL error text: error code: 0x140760fc in I:\openssl\0.9.7a\work1-Win32\ssl\s23_srvr.c in line 585. error text: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Explanation: If a new SSL connection is established, the SSL client and server set up the session following a specific protocol. If the first packet from the SSL client, the SSL server does not follow that protocol, the server will report that error. Remedy: Make sure the client uses SSL as well. HPE NonStop cF SSL Library Reference Manual 23