The SSL support in 0.68 is...fragile...at best, but still if you want to test it, here's how:
Option 1:
1) Generate a self-signed root certificate that will be used to sign individual certs. Install this certificate in the hub.
2) Generate a certificate for each client, and sign it with the root certificate. Make sure you don't encrypt the private key, DC++ cannot handle encrypted keys (yet?).
3) Install the root (hub) certificate in each client. This is done by copying the pem formatted certificate to the client's trusted certificates directory that you set up in the certificates page in settings.
4) Point DC++ to the private key & own certificate using the same settings page.
5) Connect to the hub. The hub should request the signed cert from the user and can use that as authentication.
6) Clients, when connecting to each other will only allow connections to/from other clients whose certificates they trust - if all clients are signed by the hub and all clients trust the hub this comes for free.
Option 2:
1) Generate a self-signed certificate and point dc++ to it.
2) For every client you want to connect to, put its certificate in the trusted certs folder. This will make you trust any user whose cert is signed by the trusted folder certs as well.
3) Connect to the hub - not necessarily using SSL. Any file transfers will still be encrypted.
A few tips:
1) Most probably, in the future, DC++ will require the certificate CN field to match the base32 encoded CID much like web certs must match the domain name, so save yourself some trouble by using this convention already.
2) Search replies and any other UDP traffic are still not encrypted.
3) Only ADC hubs are supported, connect to them with the adcs:// prefix instead of adc://
4) http://www.gagravarr.org/writing/openssl-certs/ca.shtml contains a reasonable guide on how to create the certificates.
5) A [S] in your transfer bar will indicate that the transfer is encrypted.
Enjoy!
The 0.68+ SSL howto
Moderator: Moderators
That was helpful. Could you also tell what file(s) should I share with my friends so my generated certs would be "trusted"?ullner wrote:Have a look at my blog for a cert creating tutorial for Windows...
-
rafal.prasal
- Posts: 1
- Joined: 2007-01-07 07:20
Re: The 0.68+ SSL howto
Is there any possibility to use ssl with nmdc protocol?3) Only ADC hubs are supported, connect to them with the adcs:// prefix instead of adc://
example link as dchubs://
I ask, because i would like to write a native ssl support for
DConnect Daemon(www.dc.ds.pg.gda.pl)
-
GargoyleMT
- DC++ Contributor
- Posts: 3212
- Joined: 2003-01-07 21:46
- Location: .pa.us
Re: The 0.68+ SSL howto
DC++ doesn't have any code for secure NMDC (or even ADC) hub connections. I think one or more of the Linux clients may have support, however.rafal.prasal wrote:Is there any possibility to use ssl with nmdc protocol?
example link as dchubs://
-
theanomaly
- Posts: 2
- Joined: 2006-08-27 22:05
encrypted dc++
I've tried changing the code a couple of times so that the only sockets it would create and listen on were SSLSockets, but while it kind of worked the connections always died after a few seconds of transfer and I don't know enough to figure out exactly why it isn't working... :/