Let's go over some basics of using the OpenSSL library in server applications before beginning a concrete example.
Before OpenSSL can be used, it must be initialized. The following code initializes the OpenSSL library, loads the requisite encryption algorithms, and loads useful error strings:
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
Refer to the previous Chapter 9, Loading Secure Web Pages with HTTPS and OpenSSL, for more information.
Our server also needs to create an SSL context object. This object works as a sort of factory from which we can create TLS/SSL connections.
The following code creates the SSL_CTX object:
SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
if (!ctx) {
fprintf(stderr, "SSL_CTX_new() failed.\n");
return 1;
}
If you're using an older version of OpenSSL, you may need to replace TLS_server_method() with TLSv1_2_server_method() in the preceding code. However, a better solution is to upgrade to a newer OpenSSL version.
After the SSL_CTX object is created, we can set it to use our self-signed certificate and key. The following code does this:
if (!SSL_CTX_use_certificate_file(ctx, "cert.pem" , SSL_FILETYPE_PEM)
|| !SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM)) {
fprintf(stderr, "SSL_CTX_use_certificate_file() failed.\n");
ERR_print_errors_fp(stderr);
return 1;
}
That concludes the minimal OpenSSL setup needed for an HTTPS server.
The server should then listen for incoming TCP connections. This was covered in detail in Chapter 3, An In-Depth Overview of TCP Connections.
After a new TCP connection is established, we use the socket returned by accept() to create our TLS/SSL socket.
First, a new SSL object is created using our SSL context from earlier. The following code demonstrates this:
SSL *ssl = SSL_new(ctx);
if (!ctx) {
fprintf(stderr, "SSL_new() failed.\n");
return 1;
}
The SSL object is then linked to our open TCP socket using SSL_set_fd(). The SSL_accept() function is called to establish the TLS/SSL connection. The following code demonstrates this:
SSL_set_fd(ssl, socket_client);
if (SSL_accept(ssl) <= 0) {
fprintf(stderr, "SSL_accept() failed.\n");
ERR_print_errors_fp(stderr);
return 1;
}
printf ("SSL connection using %s\n", SSL_get_cipher(ssl));
You may notice that this code is very similar to the HTTPS client code from Chapter 9, Loading Secure Web Pages with HTTPS and OpenSSL. The only real differences are in the setup of the SSL context object.
Once the TLS connection is established, data can be sent and received using SSL_write() and SSL_read(). These functions replace the send() and recv() functions used with TCP sockets.
When the connection is finished, it is important to free resources, as shown by the following code:
SSL_shutdown(ssl);
CLOSESOCKET(socket_client);
SSL_free(ssl);
When your program is finished accepting new connections, you should also free the SSL context object. The following code shows this:
SSL_CTX_free(ctx);
With an understanding of the basics out of the way, let's solidify our knowledge by implementing a simple example program.