Turn a simple socket into an SSL socket

There are several steps when using OpenSSL. You must have an SSL certificate made which can contain the certificate with the private key be sure to specify the exact location of the certificate (this example has it in the root). There are a lot of good tutorials out there.

• Some documentation and tools from HP (see chapter 2)
• Command line for OpenSSL

Some includes:

#include <openssl/applink.c>#include <openssl/bio.h>#include <openssl/ssl.h>#include <openssl/err.h>

You will need to initialize OpenSSL:

void InitializeSSL(){    SSL_load_error_strings();    SSL_library_init();    OpenSSL_add_all_algorithms();}void DestroySSL(){    ERR_free_strings();    EVP_cleanup();}void ShutdownSSL(){    SSL_shutdown(cSSL);    SSL_free(cSSL);}

Now for the bulk of the functionality. You may want to add a while loop on connections.

int sockfd, newsockfd;SSL_CTX *sslctx;SSL *cSSL;InitializeSSL();sockfd = socket(AF_INET, SOCK_STREAM, 0);if (sockfd< 0){    //Log and Error    return;}struct sockaddr_in saiServerAddress;bzero((char *) &saiServerAddress, sizeof(saiServerAddress));saiServerAddress.sin_family = AF_INET;saiServerAddress.sin_addr.s_addr = serv_addr;saiServerAddress.sin_port = htons(aPortNumber);bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr));listen(sockfd,5);newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);sslctx = SSL_CTX_new( SSLv23_server_method());SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);int use_cert = SSL_CTX_use_certificate_file(sslctx, "/serverCertificate.pem" , SSL_FILETYPE_PEM);int use_prv = SSL_CTX_use_PrivateKey_file(sslctx, "/serverCertificate.pem", SSL_FILETYPE_PEM);cSSL = SSL_new(sslctx);SSL_set_fd(cSSL, newsockfd );//Here is the SSL Accept portion.  Now all reads and writes must use SSLssl_err = SSL_accept(cSSL);if(ssl_err <= 0){    //Error occurred, log and close down ssl    ShutdownSSL();}

You are then able read or write using:

SSL_read(cSSL, (char *)charBuffer, nBytesToRead);SSL_write(cSSL, "Hi :3\n", 6);

UpdateThe SSL_CTX_new should be called with the TLS method that best fits your needs in order to support the newer versions of security, instead of SSLv23_server_method(). See:OpenSSL SSL_CTX_new description

TLS_method(), TLS_server_method(), TLS_client_method(). These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.

OpenSSL is quite difficult. It's easy to accidentally throw away all your security by not doing negotiation exactly right. (Heck, I've been personally bitten by a bug where curl wasn't reading the OpenSSL alerts exactly right, and couldn't talk to some sites.)

If you really want quick and simple, put stud in front of your program an call it a day. Having SSL in a different process won't slow you down: http://vincent.bernat.im/en/blog/2011-ssl-benchmark.html

For others like me:

There was once an example in the SSL source in the directory demos/ssl/ with example code in C++. Now it's available only via the history:https://github.com/openssl/openssl/tree/691064c47fd6a7d11189df00a0d1b94d8051cbe0/demos/ssl

You probably will have to find a working version, I originally posted this answer at Nov 6 2015. And I had to edit the source -- not much.

Certificates: .pem in demos/certs/apps/: https://github.com/openssl/openssl/tree/master/demos/certs/apps