ssl-talk-faq.txt

Netscape公司提供的安全套接字层

    Layer) protocol. SSLRef 3.0 is intended to aid and accelerate
    developers' efforts to provide security within TCP/IP applications.
    It can also be used to qualify other implementations of version 3.0
    of the SSL protocol.

    SSLRef 3.0 consists of a software library, distributed as ANSI C
    source-code, that can be compiled on Windows 95/NT and Solaris
    platforms, and then linked into TCP/IP application programs. SSLREF
    3.0 also was designed to be easily ported to a wide variety of
    other platforms and operating systems.

    More information on SSLRef can be found at
        <http://home.netscape.com/newsref/std/sslref.html>

    If you are a US or Canadian citizen you can download SSLRef 3.0 at
        <http://wwwus.netscape.com/eng/US-Current/>


7.1.2) How can I license SSLRef 3.0? What does it cost? With what restrictions?

    The SSLRef 3.0 distribution includes a license for non-commercial
    use. For commercial licensing, send mail to <sslref@netscape.com>.

    The SSLRef 3.0 commercial license is Part Number 70-01128-00 and the
    price is $30,000. The license agreement is a flat one-time fee, not
    a recurring royalty.

    SSLRef 3.0 may not be exported. However, the encryption options in
    SSLRef 3.0 can be limited to make exportable products.

    SSLRef 3.0 does not include an RSA/BSAFE licencse for required
    cryptographic functions. Most users would use BSAFE or RSAREF.

        For BSAFE information contact RSA at
            <http://www.rsa.com/>

        For RSAREF information contact Consensus Development at
            <http://www.consensus.com/rsaref/>


------------------------------

7.2) SSL PLUS QUESTIONS

This sub-section contains information specific to the SSL Plus: SSL
3.0 Integration Suite(tm) software toolkit developed by Consensus
Development Corporation of Berkeley, California
<http://www.consensus.com/>.


7.2.1) What is the relationship between SSLRef and SSL Plus?

    SSLRef 3.0 was written by Netscape Development Corporation and
    Consensus Development Corporation. SSL Plus is a derivative of
    SSLRef 3.0, is fully supported and offers unique value-added
    features.

    SSL Plus 1.0 includes support, updates, upgrade to TLS when spec is
    completed, a VeriSign certificate request tool, a "signer" file
    format for storing keys and certificates, is qualified for
    additional platforms, and system integration services are available.

    SSLRef 3.0 offers 5 ciphersuites:

      * Unprotected
        (SSL_NULL_WITH_NULL_NULL)

      * RSA authenticated, unencrypted, with MD5
        (SSL_RSA_WITH_NULL_MD5)

      * RSA authenticated with exportable RC4 encryption, and MD5
        (SSL_RSA_EXPORT_WITH_RC4_40_MD5)

      * RSA authenticated with DES encryption, and SHA
        (SSL_RSA_WITH_DES_CBC_SHA)

      * Diffie-Hellman anonymous key exchange with DES encryption,
        and SHA
        (SSL_DH_anon_WITH_DES_CBC_SHA)

    SSL Plus 1.0 adds support for an additional 6 ciphersuites (with
    more planned for the future):

      * RSA authenticated, unencrypted, with SHA
        (SSL_RSA_WITH_NULL_SHA)

      * RSA authenticated with non-exportable RC4 encryption, with
        MD5 or SHA
        (SSL_SSL_RSA_WITH_RC4_128_MD5 & SSL_RSA_WITH_RC4_128_SHA)

      * RSA authenticated with Triple-DES encryption, with SHA
        (SSL_RSA_WITH_3DES_EDE_CBC_SHA)

      * Diffie-Hellman anonymous key exchange with RC4 encryption,
        with MD5
        (SSL_DH_anon_WITH_RC4_128_MD5 &
         SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)

      * Diffie-Hellman anonymous key exchange with Triple-DES
        encryption and SHA
        (SSL_DH_anon_WITH_RC4_128_MD5 &
         SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)

    For more information on SSL Plus features see
        <http://www.consensus.com/SSLPlus/sslplus_stats.html>


7.2.2) What is the relationship with SSL Plus and SSLRef 2.0?

    There is no relationship between SSLRef 2.0 and SSL Plus -- SSL Plus
    is based on the SSLRef 3.0 which was not based on SSLRef 2.0.


7.2.3) How can I license SSL Plus? What does it cost? With what
restrictions?

    A non-commercial license of SSL Plus is not available, only
    commercial licenses. However, evaluation versions are available upon
    signing a non-disclosure and beta test agreement.

    The price for SSL Plus is $40,000, and includes a one-year standard
    support contract. Premium support is available for an additional
    fee.  The license agreement is a flat one-time fee, not a recurring
    royalty.

    SSL Plus toolkit may not be exported. However, products built with
    SSL Plus may limit the encryption options to exportable algorithms
    and thus be able to be exported.

    SSL Plus does not include an RSA/BSAFE license for cryptographic
    functions required.  Most users would use BSAFE or RSAREF:

        For BSAFE information contact RSA at
            <http://www.rsa.com/>

        For RSAREF information contact Consensus Development at
            <http://www.consensus.com/rsaref/>


    Copies of the evaluation NDA and beta agreement, the standard
    product license agreement, and standard support contract for
    SSL Plus are located at
        <http://www.consensus.com/sslplus/sslplus_contracts.html>


7.2.4) Is there any relationship between SSL Plus and Winsock 1.1 or
Winsock 2.0? Which Winsock would you recommend using to test our
SSL? Does it matter if Winsock 1.1 or 2.0 architecture is used?

    No -- SSL Plus is designed to be transport independent and work with
    both socket and stream styles of I/O. SSL Plus includes some
    examples of using WinSock 1.1 in the Win32 builds of our sample
    code. However, we recommend that you write your own callback code if
    you want better handling of your I/O than what our sample routines
    provide.


7.2.5) How does the data flow within the application, WinSock, SSL,
TCP/IP stack layers?

    The short answer is that you insert SSL Plus between your I/O and
    your application code.

    Basically, you call SSL Plus instead of your read and write. SSL
    Plus does its stuff and calls your callback code to do the I/O. Data
    comes through your I/O routines, through SSL Plus, and then finally
    to your application.  SSL Plus only manages the data flowing through
    the connection; it does not handle setting up and tearing down the
    underlying network connection; your application should open the
    network connection, then hand it off to SSL Plus for SSL handshaking
    and data transfer. (This step is not shown in the diagram).

    Normal:

         -------------
        | Application |
         -------------
             ^
             | I/O Calls
             v
         -------------
        | WinSock     |
         -------------
             ^
             | TCP Calls
             v
         -------------
        | Internet    |
         -------------


    SSL Plus:

         -------------
        | Application |
         -------------
             ^
             | SSL I/O Calls
             v
         -------------     I/O Callbacks   --------------------
        | SSL Plus    | <---------------->| Your Callback Code |
         -------------                     --------------------
                                                    ^
                                                    | I/O Calls
                                                    v
                                               -------------
                                              | WinSock     |
                                               -------------
                                                    ^
                                                    | TCP Calls
                                                    v
                                               -------------
                                              | Internet    |
                                               -------------


7.2.6) A part of my impression is that with the WinSock 2.0
architecture, the application need only chose an appropriate SSL
enabled service provider. Does SSL Plus support this?

    As you noted, with WinSock 2.0 there is some disussion of
    functionality that allows you to create a module that you could add
    to WinSock 2.0.

    At this time we do not believe that this functionality is actually
    shipping (as Microsoft was supporting PCT but is now supporting
    SSL 3), but we do know that it is part of their plans. See the
    MS-ISF (Microsoft Internet Security Framework) description at
        <http://www.microsoft.com/intdev/security/>

    We can't speak to when or if Microsoft will add it to their system
    software, or if another third-party offers such a module.

    Meanwhile, there has been some discussion on what changes might be
    required under WinSock 2.0 to do SSL located at
        <http://home.netscape.com/newsref/std/ssl_integration.html>

    In the future (post version 1.1, see our features page) we may offer
    either more robust sample callback code for WinSock 1.1 and/or 2, or
    we may actually write our own WinSock 1.1 substitute or 2.0 module
    that you call as you would call WinSock and avoid the callbacks
    all together. Neither would be available before the end of the year.


7.2.7) Does SSL Plus support yielding?

    SSL Plus 1.0 includes support for processor yielding during
    cryptographic operations. Because developers provide their own I/O
    routines, they can do yielding during I/O. Our examples do not
    demonstrate I/O yielding.


7.2.8) I don't understand the nomenclatures of constants such as
"SSL_RSA_EXPORT_WITH_RC4_40_MD5" -- where are they defined?

    They are found in include/cryptype.h, but are actually defined
    by the SSL 3.0 spec.


7.2.9) Where are these cipher suites defined?

    In the file ciphers.c there is an array of values and implementation
    pointers for supported cipher suites.


7.2.10) Can I change the order of the values in ciphers.c?

    Yes. The order affects the preference; in general, the highest one
    on the client's list which the server supports will be selected.


7.2.11) Can this be done programmatically in the API?

    No, it is configured at compile time. We will be adding runtime
    support in the near future because it will be needed for future test
    frameworks.


7.2.12) Does SSL Plus support compression?

    Not at this time. If there is a specific customer requirement, or if
    a compression cipher suite is defined we expect to support it in the
    future, but otherwise we have no plans here.


7.2.13) In sslrec.c function SSLWriteRecord(), the data buffer is
copied, encrypted, then enqueued on the SSL write queue. The function
then returns. What thread services the write queue? How is the
thread created?

    The write queue is serviced by the public function called
    SSLServiceWriteQueue(). It is called in a number of places in
    ssltrspt.c, including with every call to SSLWrite(). Data to be
    written is sent to the I/O layer as you exit out of the write
    function (for example, right near the bottom of SSLWrite).

    If SSLWrite() returns SSLWouldBlockError, then make a call to
    SSLServiceWriteQueue() to service the write queue. (You could
    instead make a call to SSLWrite() with more data to be written, but
    this is unlikely.)

    The write queue is not serviced by a separate execution thread. The
    write queue mechanism was designed to support non-blocking I/O
    without undue overhead.


------------------------------

7.3) SSLEAY QUESTIONS

This sub-section contains information specific to the SSLeay
toolkit developed by Eric Young <eay@mincom.com>


7.3.1) Where is the SSLeay FAQ?

    There is a very complete SSLeay FAQ at:
        <http://www.psy.uq.oz.au/~ftp/Crypto/>

------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<ChristopherA@consensus.com>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
.. Security Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>..