The 0.68+ SSL howto

Technical discussion about the NMDC and <a href="http://dcpp.net/ADC.html">ADC</A> protocol. The NMDC protocol is documented in the <a href="http://dcpp.net/wiki/">Wiki</a>, so feel free to refer to it.

Moderator: Moderators

Locked
arnetheduck
The Creator Himself
Posts: 296
Joined: 2003-01-02 17:15

The 0.68+ SSL howto

Post by arnetheduck » 2006-01-10 18:21

The SSL support in 0.68 is...fragile...at best, but still if you want to test it, here's how:

Option 1:
1) Generate a self-signed root certificate that will be used to sign individual certs. Install this certificate in the hub.

2) Generate a certificate for each client, and sign it with the root certificate. Make sure you don't encrypt the private key, DC++ cannot handle encrypted keys (yet?).

3) Install the root (hub) certificate in each client. This is done by copying the pem formatted certificate to the client's trusted certificates directory that you set up in the certificates page in settings.

4) Point DC++ to the private key & own certificate using the same settings page.

5) Connect to the hub. The hub should request the signed cert from the user and can use that as authentication.

6) Clients, when connecting to each other will only allow connections to/from other clients whose certificates they trust - if all clients are signed by the hub and all clients trust the hub this comes for free.

Option 2:
1) Generate a self-signed certificate and point dc++ to it.

2) For every client you want to connect to, put its certificate in the trusted certs folder. This will make you trust any user whose cert is signed by the trusted folder certs as well.

3) Connect to the hub - not necessarily using SSL. Any file transfers will still be encrypted.

A few tips:
1) Most probably, in the future, DC++ will require the certificate CN field to match the base32 encoded CID much like web certs must match the domain name, so save yourself some trouble by using this convention already.

2) Search replies and any other UDP traffic are still not encrypted.

3) Only ADC hubs are supported, connect to them with the adcs:// prefix instead of adc://

4) http://www.gagravarr.org/writing/openssl-certs/ca.shtml contains a reasonable guide on how to create the certificates.

5) A [S] in your transfer bar will indicate that the transfer is encrypted.

Enjoy!

ullner
Forum Moderator
Posts: 333
Joined: 2004-09-10 11:00
Contact:

Post by ullner » 2006-01-11 13:23

Have a look at my blog for a cert creating tutorial for Windows...
Last edited by ullner on 2006-03-09 05:19, edited 1 time in total.

ConstB
Posts: 2
Joined: 2006-02-17 15:27
Location: Tomsk, Russia
Contact:

Post by ConstB » 2006-02-17 15:30

ullner wrote:Have a look at my blog for a cert creating tutorial for Windows...
That was helpful. Could you also tell what file(s) should I share with my friends so my generated certs would be "trusted"?

ullner
Forum Moderator
Posts: 333
Joined: 2004-09-10 11:00
Contact:

Post by ullner » 2006-02-17 17:06

ssft_root.cert

rafal.prasal
Posts: 1
Joined: 2007-01-07 07:20

Re: The 0.68+ SSL howto

Post by rafal.prasal » 2007-01-07 07:27

3) Only ADC hubs are supported, connect to them with the adcs:// prefix instead of adc://
Is there any possibility to use ssl with nmdc protocol?
example link as dchubs://

I ask, because i would like to write a native ssl support for
DConnect Daemon(www.dc.ds.pg.gda.pl)

GargoyleMT
DC++ Contributor
Posts: 3212
Joined: 2003-01-07 21:46
Location: .pa.us

Re: The 0.68+ SSL howto

Post by GargoyleMT » 2007-01-08 18:44

rafal.prasal wrote:Is there any possibility to use ssl with nmdc protocol?
example link as dchubs://
DC++ doesn't have any code for secure NMDC (or even ADC) hub connections. I think one or more of the Linux clients may have support, however.

theanomaly
Posts: 2
Joined: 2006-08-27 22:05

encrypted dc++

Post by theanomaly » 2007-01-11 21:41

I've tried changing the code a couple of times so that the only sockets it would create and listen on were SSLSockets, but while it kind of worked the connections always died after a few seconds of transfer and I don't know enough to figure out exactly why it isn't working... :/

Locked