TLS server functionality is now, basically, complete.
Still a couple things I need to test, but I was even able to perform an HTTPS connection with a browser successfully.
There is one restriction, and one untested feature.
The restriction is, it can only work with certificates in the computer's certificate store. It cannot work with individual certificate files and private keys, yet.
If you want to use a certificate with this version, you have to load the certificate into the local computer's "Personal" store. It won't work with the current user's store yet, either. Loading the certificate into the store, therefore, requires admin access, although using the cert doesn't.
The untested feature is the ability to transition a server connection over to TLS. In theory, you Read() data from the client, determine if it's a ClientHello request(check if the first byte is chr$(22)), then pass the data you've already read(along with the length) into the PerformServerHandshake() function, telling it to use your data instead of reading from the client itself. I haven't actually tested this yet, though, so it's up in the air on if it works.
I've also included a Win32 copy of the openssl toolkit now, along with a bunch of scripts, both to help test TLS connections, and to generate test certificates to use with LB.
In the CA-test folder:
The
openssl-bin folder just has the files I obtained from an openssl distribution. The executable, a couple libraries, and the license and readme.
There are three .conf files, root-ca.conf, sub-ca.conf, and localhost.conf. Those are the configuration files that determine various attributes of the certificates and Certificate Authorities(CAs) that get generated. These can mostly be left alone. The main one you might want to edit is localhost.conf, if you want to change the name of the server on the cert that gets generated(so you can try different names in LB). If you do this, change both the "commonName = "localhost"" AND the "DNS.1 = localhost" lines. Otherwise, the cert won't be recognized properly by some client software(especially web browsers).
OpenSSL-ENV.cmd is a script you can generally ignore; it's called by most of the other scripts in this folder, to add the
openssl-bin folder to the PATH environment variable, so subsequent commands can use openssl.exe properly.
OpenSSL-cmd.cmd is there if YOU want to run OpenSSL commands; double-click this, and it'll auto-execute
OpenSSL-ENV, and then give you a command prompt that you can use. I mainly used this for the openssl s_client command, that basically is a TLS version of telnet. Useful for testing the LB server.
gen-root-ca, gen-sub-ca, and
gen-localhost-cert are all similar scripts. The first two generate the Root and Intermediate Certificate Authority certificates and infrastructure, creating two new folders with a bunch of stuff inside,
root-ca and
sub-ca. (The Root CA one generates a self-signed CA certificate to use as a Root; the Sub CA one generates an intermediate CA cert that gets signed by the Root.) The last one is what generates a signed server certificate for the server named "localhost", signed by the Intermediate CA. (Though it seems overly complicated for testing, this three-tier structure is what pretty much all of public PKI uses, so I wanted to make sure LB could use it properly.)
Generate All Certs simply runs all of the above mentioned gen-* scripts, in proper order. Makes it easy to create a set of certs to test with.
add-certs will take the generate certs, and import them into the proper places in your computer's certificate store. YOU MUST RUN THIS AS ADMIN. Easiest way is to right-click on it, and click "Run as Administrator". It will fail if it is not running with administrative privileges. It imports the Root certificate to the
Local Computer\Trusted Root Certification Authorities store(also known as the "ROOT" store). It imports the Sub certificate into the
Local Computer\Intermediate Certification Authorities store(also known as the "CA" store). It imports the localhost cert/key combination package to the
Local Computer\Personal store(also known as the "MY" store.) You can then find these certificates in the stores if you search for "Certificate" on the Windows start menu, and then open the "Manage computer certificates" option.
delete-certs does the opposite, and removes all of the generated certificates from the various stores. I recommend removing them if you're not using them at the time, so it can't be abused. These are unrestricted Certificate Authorities. You could use them to generate certs for banking websites, Google, etc., and as long as your Root CA was trusted, all the browsers on your computer would trust the false certs. (This is why both the Root CA and SUB CA have "DO NOT TRUST" in their subject names.)
clean-PKI will delete the
root-ca,
sub-ca, and
localhost folders, deleting all of the generated cert and key files, as well as the generated CA infrastructure files.
For testing, I recommend running
Generate All Certs, and then
add-certs. This will allow the test.bas and test-https.bas files to run properly.
For testing test.bas, run the program, press ENTER so it starts listening for connections, and then I recommend using the openssl test client to test the connection.
Run
OpenSSL-cmd, and then run this command at the command line:
openssl s_client -CAfile root-ca\certs\root-ca.crt -connect localhost:27016
This will cause openssl to connect to the LB server, go through the normal handshake, and then wait for input. Just type stuff into the OpenSSL window, and hit ENTER. You should see it appear in the LB console window, and you should see the LB server's responses appear in the OpenSSL window.
Send the command "END"(must be all caps) to have the LB server close itself down.
For testing test-https.bas, run the program, hit ENTER to start listening, and then go to your browser, and navigate to https://localhost:27016. You should see the request the browser sends in the LB console, as well as LB's raw response, and you should get a successful connection in the browser that shows "secure", saying "Test successful!".
EDIT: Noticed a quirk with using the local machine cert store that causes it to essentially not work after rebooting or logging out. (Read permissions for the private key get assigned to the logon session that imports the key, not the user account. SYSTEM and the built-in Administrators group also have access. After a logout/reboot, you'd either need to manually edit the private key permissions to give your user account read access, or you'd have to run LB as administrator, for it to be able to read the private key.)
Modified the program to be able to use the local user store as well, and added additional copies of the add-store and delete-store scripts that target the user store, not the machine store.
EDIT2: With the few changes and additions I've made, I'm going to (tentatively) call this the first release version, and upload a prebuilt copy to use.
github.com/iversc/lb-schannel-wrapper/releases/download/Release-1.0.0/LB-SChannel-Wrapper_1.0.0.zip