
                        USER MANUAL


    Index  

    1. Library  
       1.1 Description of libraries
       1.2 Dependencies 

    2. Functions 
       2.1 Description of functions 
       2.2 Dependencies 

    3. ... 

    4. Protocol TCP
       4.1 Examples TCP connection 

    5. SSL 
       5.1 Cipher Suite
       5.2 Identity, Certification Authority and Truststore.
       5.2 Identity and Truststore
       5.3 Examples SSL connection

    6. HTTP Connection 
       6.1 Examples HTTP Connetion 

    7. HTTP Over SSL Connection
       7.1 Examples HTTPS Connetion





                          ~ ~ ~ ~ ~


0x1. Library.              


     0x1.1 Description of libraries 

      - param
      - conf
      - tcp
      - ssl
      - client 
      - output 


     0x1.2 Dipendencies.

     myTCPClient                             X    
          \                                  |   FrontEnd   
          |                                  X 
          |
          |                               
          '--- param                         X  
          |      \                           |  
          |      '--- conf                   | 
          |      '--- output                 | 
          |                                  |   BackEnd  
          '--- client                        | 
                 \                           | 
                 '--- tcp                    | 
                 '--- ssl                    | 
                 '--- output                 X  





0x2. Functions.


     0x2.1 Description of function  


     0x2.2 Dependencies  

     myTCPClient 
          /
          |
          '---o [PARAM] ParametriCheck
          |        \
          |        '---o [OUTPUT] PrintMessage
          |        |
          |        '---o [PARAM] Uri2SingleFieldConnect
          |        |
          |        '---o [CONF] LoadConf
          |        |       \
          |        |       '---o [CONF] AnalizzaRiga
          |        |
          |        '---o [CONF] getVar
          |
          |
          '---o [CLIENT] ClientConnect 
          |        \
          |        '---o [TCP] ConnessioneTCP  
          |        '---o [TCP] DisconnettiTCP  
          |        |
          |        '---o [SSL] ConnessioneSSL  
          |        |                \
          |        |                '---o [SSL] CreateContestoSSL  
          |        |                                \
          |        |                                '---o [SSL] sigpipe_handle  
          |        '---o [SSL] VerificaIdentity 
          |        '---o [SSL] DisconnettiSSL (LIB SSL) 
          |        |                \
          |        |                '---o [SSL] DistruggiContestoSSL  
          |        |
          |        '---o [CLIENT] ServerRequest
          |        '---o [CLIENT] ServerResponse
          |
          |
          '---o [CLIENT] PrintClientConnect
                   \
                   '---o [OUTPUT] PrintMessage
                   '---o [SSL]  VisualizzaCertificato
                     


                          ~ ~ ~ ~ ~

0x3. ...

                          ~ ~ ~ ~ ~


0x4. Protocol TCP



     0x4.1 Examples TCP Connection.


     >>> Example 1. Connect to HTTP Server On Host 10.12.54.98 port 80 
      
     jack0e@jack0e-laptop:~/tmp/myTCPClient/bin$ ./myTCPClient --connect tcp://10.12.54.1:80
     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to tcp://10.12.54.1:80 ... 
     TCP connection... ok
     TCP disconnect... ok



     >>> Example 2. Destination Host Unreachable. 

     The HOST 10.12.54.98 is DOWN.

     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient/src$ ping 10.12.54.98
     PING 10.12.54.98 (10.12.54.98) 56(84) bytes of data.
     From 10.12.158.1 icmp_seq=2 Destination Host Unreachable
     From 10.12.158.1 icmp_seq=3 Destination Host Unreachable
     From 10.12.158.1 icmp_seq=4 Destination Host Unreachable

     --- 10.12.54.98 ping statistics ---
     5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4005ms


     jack0e@jack0e-laptop:~/tmp/myTCPClient/bin$ ./myTCPClient --connect tcp://10.12.54.98:10443
     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to tcp://10.12.54.98:10443 ... 
     TCP connection... ko
     I opened the socket but I can not connect to server.




     >>> Example 3. There isnt service.

     The host 10.12.54.1 is live but the not used.

     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient/src$ ping 10.12.54.1
     PING 10.12.54.1 (10.12.54.1) 56(84) bytes of data.
     64 bytes from 10.12.54.1: icmp_seq=1 ttl=55 time=15.2 ms
     64 bytes from 10.12.54.1: icmp_seq=2 ttl=55 time=16.1 ms
     64 bytes from 10.12.54.1: icmp_seq=3 ttl=55 time=15.6 ms

     --- 10.12.54.1 ping statistics ---
     3 packets transmitted, 3 received, 0% packet loss, time 2001ms
     rtt min/avg/max/mdev = 15.229/15.671/16.104/0.371 ms


     jack0e@jack0e-laptop:~/tmp/myTCPClient/bin$ nmap 10.12.54.1 -p 8080
     Starting Nmap 4.20 ( http://insecure.org ) at 2008-10-22 15:01 CEST
     Interesting ports on 10.12.54.1:
     PORT     STATE  SERVICE
     8080/tcp closed http-proxy
     Nmap finished: 1 IP address (1 host up) scanned in 0.201 seconds

     jack0e@jack0e-laptop:~/tmp/myTCPClient/bin$ ./myTCPClient --connect tcp://10.12.54.1:8080
     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to tcp://10.12.54.1:8080 ... 
     TCP connection... ko
     I opened the socket but I can not connect to server.


     

     >>> Example 4. Destination Host Unreachable.

     The HOST 10.12.54.98 is DOWN.

     jack0e@jack0e-laptop:~/tmp/myTCPClient/bin$ ./myTCPClient --connect tcp://10.12.54.1000:80
     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to tcp://10.12.54.1000:80 ...
     TCP connection... ko
     I can not resolve the hostname.


     jack0e@jack0e-laptop:~/tmp/myTCPClient/bin$ ./myTCPClient --connect tcp://www.notexist.org:80
     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to tcp://www.notexist.org:80 ...
     TCP connection... ko
     I can not resolve the hostname.


 

0x5. SSL


     0x5.1 Cipher Suite

        
     Table A. Cipher Suite Supported

     No. Chiper Suite Name   Remark 
     -------------------------------------------------------------------------  
     1.  NULL-MD5            No data encryption; MD5 for message integrity. 
     2.  NULL-SHA            No data encryption; SHA for message integrity. 
     3.  RC4-MD5             RC4 (128-bit key) for data encryption;         
                             MD5 for message integrity.                     
     4.  RC4-SHA             C4 (128-bit key) for data encryption;          
                             SHA for message integrity.                     
     5.  EXP-RC2-CBC-MD5     Export RC2 (40-bit key) for data encryption;   
                             MD5 for message integrity.                     
     6.  EXP-RC4-MD5         Export RC4 (40-bit key) for data encryption;   
                             MD5 for message integrity.                     
     7.  EXP-DES-CBC-SHA     Export DES (40-bit key) for data encryption;   
                             SHA for message integrity.                     
     8.  DES-CBC-SHA         DES (56-bit key) for data encryption;         
                             SHA for message integrity.                     
     9.  DES-CBC3-SHA        Triple-DES (168-bit key) for data              
                             encryption; SHA for message integrity.         
     10. DES-CBC-MD5         DES (56-bit key) for data encryption;          
                             MD5 for message integrity.                     
     11. DES-CBC3-MD5        Triple-DES (168-bit key) for data encryption;  
                             MD5 for message integrity.                     
     12. RC2-CBC-MD5         RC2 (128-bit key) for data encryption;         
                             MD5 for message integrity.                     
     13. AES128-SHA          AES128 (128-bit key) for data encryption;      
                             SHA for message integrity. The AES128          
                             cipher algorithm operates in cipher            
                             block chaining mode for SSL data.              
     14. AES256-SHA          AES256 (256-bit key) for data encryption;      
                             SHA for message integrity. The AES256          
                             cipher algorithm operates in cipher block      
                             chaining mode for SSL data.                    




     0x5.2 Identity, Certification Authority and Truststore.


     >>> STEP 1. Create RSA private key for host www.alice.org using OpenSSL. 
     The password is used by OpenSSL to encrypt the private key in 3des

     jack0e@jack0e-laptop:~/tmp/myTCPClient$ openssl genrsa -des3 1024 > identity/www.alice.org.key
     Generating RSA private key, 1024 bit long modulus
     ....++++++
     .......++++++
     e is 65537 (0x10001)
     Enter pass phrase: ***************** 
     Verifying - Enter pass phrase: ******************* 


     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient$ cat identity/www.alice.org.key 
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,1DC8D0F055305126

     dlPEtyulD79SPitw7BFf9U9cJyDd316D5nrdrn2VnErAi9tfbDq/fr8uNDxSy9Kd
     wSK+F520Arg93KNEy5HPCFUhXMxfrnJySngMswQgP3J0D4Z3oQzxJEPCtYNbsDHO
     BzrY/OntKAS4a+8fQMZXNRHjtaueKzXI3Y+eBZ8VXzdjKWrG/a19iHmRSJaHu/Eo
     M3XyIOhmyLxz080exhKMOyjglKMUzSbwjjQGgU7CbWNXrmNxJ6zzQpEYGoBxzeup
     CxojAaYjW48M4uAyAc/SbV5aQ78dpfmN8GMOIfjEHNEKk5WXGiGBUb/cO41UBC+u
     02r/mvRcK6Y+RJK1hJOCPdQ4qzmPUBBoMxY/SmVF4jMigQkT270tteydF6NQ8RHb
     fRAlbDusTowkSRi0FAnrx5xM1pmHc9s12JfUB/jEnTvkiYYcAoCPJukboPfyr1H+
     JPscDJ2r8CveNEBtBaBU2uHhJ5T4dNonpxGyYEXPp94cDf2CqNrei9JMK4bLPqCu
     IG6AHi9f/ADXrsJOodSY0xoLzjsUhPUZGF4aJohneOD+6VrBW23ou1lxkh3zodMR
     vluVLzA+5t8TtfURfto1FaBvcH95zHXEIYsV8L+2uZgPLRw5LFxFt2rKHdTo/bwo
     5QtqWEguCS+x2M2hZI2OhQ/ZyWxg4WAgyWSY0oW6XhnmcsB6ax4b2J6y+qFzJbaf
     FM+Ny6JwkS3FwJtgqE4j2HF0dt2/GGYJWteQvkmQEOFWClgD3q/3Hrc9rIteZhuL
     0EF3EOa7iKSSTKYrLEOtsAUJCMIZT4aBoiC5vAtiaC4awHTXrqaWfA==
     -----END RSA PRIVATE KEY-----



     >>> STEP 2: certificate request, which means creation of key public and association 
     of this to a person|host|device. The request must be signed by a certification authority 
     (for example Verisign). The request signed produce the certificate. 
 	
     jack0e@jack0e-laptop:~/myTCPClient$ openssl req -new \
     -key identity/www.alice.org.key \
     -out identity/www.alice.org.csr

     Enter pass phrase for identity/www.alice.org.key: **********************  <-----.  
     You are about to be asked to enter information that will be incorporated        | 
     into your certificate request.                                                  | 
     What you are about to enter is what is called a Distinguished Name or a DN.     | 
     There are quite a few fields but you can leave some blank                       | 
     For some fields there will be a default value.                             PassPharse
     If you enter '.', the field will be left blank.                     for decrypt private key 
     -----
     Country Name (2 letter code) [AU]                          : IT                 X  
     State or Province Name (full name) [Some-State]            : Italy              | 
     Locality Name (eg, city) []                                : Rome               |  Owner X.509 certificate 
     Organization Name (eg, company) [Internet Widgits Pty Ltd] : Alice ltd          |  
     Organizational Unit Name (eg, section) []                  : Information Tecn   |  
     Common Name (eg, YOUR name) []                             : www.alice.org      |  
     Email Address []                                           : admin@alice.org    X 

     Please enter the following 'extra' attributes
     to be sent with your certificate request
     A challenge password []:
     An optional company name []:


     Now, i verify it.

     jack0e@jack0e-laptop:~/myTCPClient$ openssl req \
     -text \
     -noout \
     -verify \
     -in identity/www.alice.org.csr 

     Verify OK
     Certificate Request:
         Data:
               Version: 0 (0x0)
               Subject: C=IT, ST=Italy, L=Rome, O=Alice ltd, OU=Information Tecnology, 
                        CN=www.alice.org/emailAddress=admin@alice.org
               Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                  RSA Public Key: (1024 bit)
                      Modulus (1024 bit):
                        00:e1:43:04:cc:1c:38:2e:aa:7c:61:0a:63:b5:0e:
                        50:86:d7:b8:36:cb:95:ad:e1:dc:b4:44:38:22:41:
                        10:26:c8:22:63:91:15:7c:c1:1f:0c:62:26:cc:44:
                        b5:33:70:93:26:22:39:33:5c:f8:eb:d0:61:a1:7c:
                        dd:1f:00:8a:6e:bc:bf:ce:ab:7f:6d:56:83:5a:ae:
                        68:dd:b6:8b:07:18:e2:86:4a:6b:fa:bb:4f:29:ac:
                        dc:29:44:98:12:d7:2c:fa:94:5d:ad:a1:b8:28:32:
                        17:d6:f5:f4:35:23:30:b6:44:a1:fd:5e:49:a3:ca:
                        12:1a:12:9e:c5:07:73:ef:49
                     Exponent: 65537 (0x10001)
                  Attributes:
                     a0:00
              Signature Algorithm: sha1WithRSAEncryption
                     3a:cd:f3:c3:28:12:85:31:9c:2b:1e:62:54:e1:e7:04:4a:1b:
                     85:53:9e:5c:99:d8:d9:8d:4d:05:18:37:23:50:62:50:3a:1b:
                     5f:8f:b0:7c:20:ca:26:43:85:a3:f7:0a:45:ca:fc:2a:3f:5c:
                     02:bd:f1:e8:4d:32:4d:6a:bd:7b:82:6a:50:1f:38:7f:e8:3b:
                     2b:9d:02:dd:a8:15:2d:ef:61:52:51:83:9b:ab:6f:a3:f1:11:
                     c0:23:a2:ad:38:6e:5d:c3:29:56:1d:b3:94:a3:e3:8d:f7:72:
                     ec:5c:e5:71:83:d2:01:1f:69:39:61:bd:c5:ff:e0:f6:65:fc:
                     41:f0



     >>> STEP 4: Create my-certification-Authority for my TEST.

     OpenSSL includes CA.pl the script to create a pretend CA, return to Test and 
     development environments. I used that. 

     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient$ /usr/lib/ssl/misc/CA.pl -newca
     CA certificate filename (or enter to create)  <ENTER> 

     Making CA certificate ...
     Generating a 1024 bit RSA private key
     ..++++++
     ......................................................++++++
     writing new private key to './demoCA/private/cakey.pem'
     Enter PEM pass phrase: **********************                            | passpharse for encrypt 
     Verifying - Enter PEM pass phrase: **************************            | CA private key 
     -----
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,                    .------ DN 
     If you enter '.', the field will be left blank.                   V
     -----
     Country Name (2 letter code) [AU]                          : IT
     State or Province Name (full name) [Some-State]            : Italia
     Locality Name (eg, city) []                                : Rome
     Organization Name (eg, company) [Internet Widgits Pty Ltd] : Certification Authority [for TEST]
     Organizational Unit Name (eg, section) []                  :
     Common Name (eg, YOUR name) []                             : localhost
     Email Address []                                           :      

     Please enter the following 'extra' attributes
     to be sent with your certificate request
     A challenge password []:
     An optional company name []:
     Using configuration from /usr/lib/ssl/openssl.cnf
     Enter pass phrase for ./demoCA/private/cakey.pem: *********************** 
     Check that the request matches the signature
     Signature ok
     Certificate Details:
             Serial Number:
                 dc:be:98:0a:2e:09:e9:e6
             Validity
                 Not Before: Oct 22 14:14:42 2008 GMT
                 Not After : Oct 22 14:14:42 2011 GMT
             Subject:
                 countryName               = IT
                 stateOrProvinceName       = Italia
             organizationName              = Certification Authority [for TEST]
             commonName                    = localhost
             X509v3 extensions:
                 X509v3 Subject Key Identifier: 
                     E5:C1:DC:34:3A:4B:8A:B7:AA:2E:1D:8C:BC:D1:8F:CA:0F:41:59:28
                 X509v3 Authority Key Identifier: 
                     keyid:E5:C1:DC:34:3A:4B:8A:B7:AA:2E:1D:8C:BC:D1:8F:CA:0F:41:59:28
                     DirName:/C=IT/ST=Italia/O=Certification Authority [for TEST]/CN=localhost
                     serial:DC:BE:98:0A:2E:09:E9:E6

                 X509v3 Basic Constraints: 
                     CA:TRUE
     Certificate is to be certified until Oct 22 14:14:42 2011 GMT (1095 days)

     Write out database with 1 new entries
     Data Base Updated
     ------
	
     CA is an entity like all the others, with a private key and a certificate. 
     In my case CA is the guarantor of itself. The certificate is self generated.

     Certification Autority -----.-----> private key : ./demoCA/private/cakey.pem
                                 '-----> certificate : ./demoCA/cacert.pem 



     >>> STEP 5: creation of the certificate for the host www.alice.org 

     jack0e@jack0e-laptop:~/myTCPClient$ openssl ca -policy policy_anything \
     -keyfile ./demoCA/private/cakey.pem \
     -cert ./demoCA/cacert.pem \
     -in identity/www.alice.org.csr \
     -out identity/www.alice.org.crt \
     -days 365

     Using configuration from /usr/lib/ssl/openssl.cnf
     Enter pass phrase for ./demoCA/private/cakey.pem: ********************* 
     Check that the request matches the signature
     Signature ok
     Certificate Details:
             Serial Number:
                 dc:be:98:0a:2e:09:e9:e7
             Validity
                 Not Before: Oct 22 14:50:06 2008 GMT
                 Not After : Oct 22 14:50:06 2009 GMT
             Subject:
                 countryName               = IT
                 stateOrProvinceName       = Italy
                 localityName              = Rome
                 organizationName          = Alice ltd
                 organizationalUnitName    = Information Tecnology
                 commonName                = www.alice.org
                 emailAddress              = admin@alice.org
             X509v3 extensions:
                 X509v3 Basic Constraints: 
                     CA:FALSE
                 Netscape Comment: 
                     OpenSSL Generated Certificate
                 X509v3 Subject Key Identifier: 
                     DC:71:F6:DB:90:2B:37:B4:A5:96:64:A7:41:2F:AF:EE:2C:62:87:7A
                 X509v3 Authority Key Identifier: 
                     keyid:E5:C1:DC:34:3A:4B:8A:B7:AA:2E:1D:8C:BC:D1:8F:CA:0F:41:59:28

     Certificate is to be certified until Oct 22 14:50:06 2009 GMT (365 days)
     Sign the certificate? [y/n]:y

     1 out of 1 certificate requests certified, commit? [y/n]y
     Write out database with 1 new entries
     Data Base Updated


     Ok. the host www.alice.org has a identity

     Now, i rename the CA's certificate in identity/CA.www.alice.org.pem 
     and create a keystore PEM for to store togheter private and certificate for host www.alice.org 

     jack0e@jack0e-laptop:~/tmp/myTCPClient$ cp demoCA/cacert.pem identity/CA.www.alice.org.pem
     jack0e@jack0e-laptop:~/tmp/myTCPClient$ cat identity/www.alice.org.key > identity/www.alice.org.keystore.pem
     jack0e@jack0e-laptop:~/tmp/myTCPClient$ cat identity/www.alice.org.crt >> identity/www.alice.org.keystore.pem
 
     www.alice.org --------.------> private key         : ./identity/www.alice.org.key 
                           |------> certificate         : ./identity/www.alice.org.crt 
                           |------> keystore (key+cert) : ./identity/www.alice.org.keystore.pem 
                           '------> certificate CA      : ./identity/CA.www.alice.org.pem       


     I write in my /etc/hosts a new row to associate the DQFN www.alice.org to localhost  

     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient$ cat /etc/hosts
     127.0.0.1       localhost
     127.0.0.1       jack0e-laptop
     127.0.0.1       www.alice.org            <----- New Row 


     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient$ ping www.alice.org
     PING www.alice.org (127.0.0.1) 56(84) bytes of data.
     64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.037 ms
     64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.031 ms

     --- www.alice.org ping statistics ---
     2 packets transmitted, 2 received, 0% packet loss, time 1001ms
     rtt min/avg/max/mdev = 0.031/0.034/0.037/0.003 ms


     finish. The host www.alice.org live and has a identity.




     >>> STEP 6: Start-Up service SSL on host www.alice.org 

     Now. I use OpenSSL for start-up a SSL service on host www.alice.org.  
     I need an SSL server for the following examples. 

     jack0e@jack0e-laptop:~/myTCPClient$ openssl s_server -accept 8443 \
     -key identity/www.alice.org.key \
     -cert identity/www.alice.org.crt \
     -CAfile identity/CA.www.alice.org.pem \
     -state \
     -verify 0

     Verify depth is 0
     Enter pass phrase for identity/www.alice.org.key: ************************* 
     Using default temp DH parameters
     Using default temp ECDH parameters
     ACCEPT


     Open new shell per connection test...
	



     0x5.3 Examples SSL Connection.
     

     >>> Example 1. Connection SSL (the client not specify any truststore. It havent CA tust)

     jack0e@jack0e-laptop:~/Desktop/PdS/Collaudo/SSL/myTCPClient$ ./bin/myTCPClient --connect ssl://www.alice.org:8443
     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to ssl://www.alice.org:8443 ... 
     The client did not specify its digital identity
     The client did not specify any truststore (null) *Warning*                      X 
     The client has proposed the following ciphersuite +ALL *Warning*                .        
     TCP connection... ok                                                            . 
     SSL::Context::create context client... ok                                       . 
     SSL::Handeshake::Getting version on server... [TLSv1] ok                        . 
     SSL::Handeshake::Getting ciphersuite negotiated... [DHE-RSA-AES256-SHA] ok      . 
     SSL::Handeshake... ok                                                           . 
     SSL::ServerAuthication::Receive and verify identity... ko                       X   
     SSL::ServerAuthication::Error OpenSSL X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN      |  
     A self-signed certificate exists in the certificate chain.                      | 
     The certificate chain could be built up using the untrusted certificates,       |
     but the root CA could not be found locally.                                     X 

     __CUT__


     Warning! insecure connection.

     The client does not know the certification authority that issued the 
     certificate to host contacted www.alice.org
	
     The identity received could be false!  




     >>> Example 2. Connection SSL (truststore for to store the only CA trust) 	

     The client knows and trusts the certification authority that issued the certificate of www.alice.org 

     jack0e@jack0e-laptop:~/tmp/myTCPClient$ bin/myTCPClient \
     --connect ssl://www.alice.org:8443 \
     --truststore ../identity/CA.www.alice.org.pem 

     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to ssl://www.alice.org:8443 ... 
     The client did not specify its digital identity
     The client has specified as truststore (Certification Authority) ../identity/CA.www.alice.org.pem
     The client has proposed the following ciphersuite +ALL *Warning* o--------------.
     TCP connection... ok                                                            | 
     SSL::Context::create context client... ok                                       |  
     SSL::Handeshake::Getting version on server... [TLSv1] ok                        | 
     SSL::Handeshake::Getting ciphersuite negotiated... [DHE-RSA-AES256-SHA] ok      |  
     SSL::Handeshake... ok                                                           '------o * Warning * 
     SSL::ServerAuthication::Receive and verify identity... ok                             Insecure Connection 

     __CUT__


     WARNING! This is a insecure connection because we do not know what ciphersuite 
     the server considers valid. For example, if i come back server ssl shell   
     i can to read same information about ssl session. 	
     The shared ciphersuite are valid for both the client and both the server. 
     They are sorted by order of preference of the client, the more secure to less secure.
     In fact, the server during the negotiation chooses the first: DHE-RSA-EAS-SHA.  
     In the list are insecure ciphersuite and a client could ask the server to use one of these. 
     There ciphersuite (is not our case) that do not provide such as encryption of 
     the channel but only authentication or only integrity (for example NULL-SHA or NULL-MD5).

     ACCEPT
     SSL_accept:before/accept initialization
     SSL_accept:SSLv3 read client hello A
     SSL_accept:SSLv3 write server hello A
     SSL_accept:SSLv3 write certificate A
     SSL_accept:SSLv3 write key exchange A
     SSL_accept:SSLv3 write certificate request A
     SSL_accept:SSLv3 flush data
     SSL_accept:SSLv3 read client certificate A
     SSL_accept:SSLv3 read client key exchange A
     SSL_accept:SSLv3 read finished A
     SSL_accept:SSLv3 write change cipher spec A
     SSL_accept:SSLv3 write finished A
     SSL_accept:SSLv3 flush data
     -----BEGIN SSL SESSION PARAMETERS-----
     MHUCAQECAgMBBAIAOQQggkEz1bDE9iU/ZFybGKMoJZy6VY3jXGfElIgzvLJvRgQE
     MIHGe2G5CzqbdUoWwCHium40KF0ZLWRVuFzQZCDRqmh7aMzLAkqpvtDAtQVUHy0K
     /6EGAgRI/18GogQCAgEspAYEBAEAAAA=
     -----END SSL SESSION PARAMETERS-----
     Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:
     EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:
     RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:
     EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
     CIPHER is DHE-RSA-AES256-SHA
     SSL3 alert read:warning:close notify
     DONE
     shutting down SSL
     CONNECTION CLOSED


   
     >>> Example 3. Connection SSL (verify shared ciphersuite) 
     	
     An SSL client can select a shortlist of chipersuite be used in order of preference. 
     For example, i can force the server to use the chipersuite EXP-RC4-MD5, 
     if it is considered valid by the server.   

     jack0e@jack0e-laptop:~/tmp/myTCPClient$ ../bin/myTCPClient \
     --connect ssl://www.alice.org:8443 \
     --truststore ../identity/CA.www.alice.org.pem \
     --ciphersuite EXP-RC4-MD5

     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to ssl://www.alice.org:8443 ... 
     The client did not specify its digital identity
     The client has specified as truststore (Certification Authority) ../identity/CA.www.alice.org.pem
     The client has proposed the following ciphersuite EXP-RC4-MD5
     TCP connection... ok
     SSL::Context::create context client... ok
     SSL::Handeshake::Getting version on server... [TLSv1] ok
     SSL::Handeshake::Getting ciphersuite negotiated... [EXP-RC4-MD5] ok    <------o   
     SSL::Handeshake... ok
     SSL::ServerAuthication::Receive and verify identity... ok

     __CUT__


     Come back to server SSL shell... In shared ciphers there is EXP-RC4-MD5 only this time.
     RC4 is a symmetric encryption algorithm because it provides a key 40-bit. 

     ACCEPT
     SSL_accept:before/accept initialization
     SSL_accept:SSLv3 read client hello A
     SSL_accept:SSLv3 write server hello A
     SSL_accept:SSLv3 write certificate A
     Generating temp (512 bit) RSA key...
     SSL_accept:SSLv3 write key exchange A
     SSL_accept:SSLv3 write certificate request A
     SSL_accept:SSLv3 flush data
     SSL_accept:SSLv3 read client certificate A
     SSL_accept:SSLv3 read client key exchange A
     SSL_accept:SSLv3 read finished A
     SSL_accept:SSLv3 write change cipher spec A
     SSL_accept:SSLv3 write finished A
     SSL_accept:SSLv3 flush data
     -----BEGIN SSL SESSION PARAMETERS-----
     MHUCAQECAgMBBAIAAwQgE0gh13TwmmNbn1p/U4erHSI+HrhNUfSHlakNM8Fjj20E
     MExY9psmgE9QEWVeDsM0eU1i7+FEcuuChGI7JxEicY6dnjMRkoKQKhvhID5RaEeM
     06EGAgRI/2XHogQCAgEspAYEBAEAAAA=
     -----END SSL SESSION PARAMETERS-----
     Shared ciphers:EXP-RC4-MD5
     CIPHER is EXP-RC4-MD5
     SSL3 alert read:warning:close notify
     DONE
     shutting down SSL
     CONNECTION CLOSED


     This time, i ask to use some ciphersuites that my server ssl not supported
     The handshake operation is failure. This myTCPClient version not known about it. 
     The ciphersuite NULL-MD5 and NULL-SHA are ensicure for to send reserved data
     because the transit are not encrypted. 

     jack0e@jack0e-laptop:~/tmp/myTCPClient$ bin/myTCPClient --connect ssl://www.alice.org:8443 \
     --truststore ../identity/CA.www.alice.org.pem \
     --ciphersuite NULL-MD5,NULL-SHA 

     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to ssl://www.alice.org:8443 ... 
     The client did not specify its digital identity
     The client has specified as truststore (Certification Authority) ../identity/CA.www.alice.org.pem
     The client has proposed the following ciphersuite NULL-MD5 NULL-SHA 
     TCP connection... ok
     SSL::Context::create context client... ok
     SSL::Handeshake... ko
     unknown error.

     17546:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:578:


      	
     For the time being, the exact error I can read messages going to look into the shell server 

     ACCEPT
     SSL_accept:before/accept initialization
     SSL3 alert write:fatal:handshake failure
     SSL_accept:error in SSLv3 read client hello B
     SSL_accept:error in SSLv3 read client hello B
     ERROR
     15789:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:972:
     shutting down SSL
     CONNECTION CLOSED
 
      
     See http://www.openssl.org/docs/apps/ciphers.html


     
0x6. HTTP Connection

     0x6.1 Examples HTTP Connection

     ___NOT__SUPPORTED__ in this version



0x7. HTTP Over SSL Connection

     0x7.1 Examples HTTPS Connection 

 
     jack0e@debian:~/Desktop/myTCPClient/src$ ../bin/myTCPClient --connect https://www.fornieditore.com:443

     Universal Client TCP version 0.0.4
     Raffaele Granito (c) 2008 Licence GPLv2

     connecting to https://www.fornieditore.com:443/ ... 
     The client did not specify its digital identity
     The client did not specify any truststore (null) *Warning*
     The client has proposed the following ciphersuite +ALL *Warning*
     TCP connection... ok
     SSL::Context::create context client... ok
     SSL::Handeshake::Getting version on server... [TLSv1] ok
     SSL::Handeshake::Getting ciphersuite proposals... [DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:
     AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:
     DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:
     EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:
     EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5] ok
     SSL::Handeshake::Getting ciphersuite negotiated... [DHE-RSA-AES256-SHA] ok
     +The symmetric encryption algorithm used is implemented in the following versions [TLSv1/SSLv3]
     +The symmetric encryption algorithm used provides provides key length of [256]
     SSL::Handeshake... ok
     SSL::ServerAuthication::Receive and verify identity... ko
     SSL::ServerAuthication::Error OpenSSL X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
     The issuer certificate of a locally looked up certificate could
     not be found. This normally means that the list of trusted certificates
     is not complete.

     .----------------------------------------.
     |                                        |
     |        Certificate X.509 Server        |
     |                                        |
     '----------------------------------------'
     Version             | 2
     Serial Number       | -1
     Signature Type      | 0
     Issuer              | /C=ZA
                         | /ST=Western Cape
                         | /L=Cape Town
                         | /O=Thawte Consulting cc
                         | /OU=Certification Services Division
                         | /CN=Thawte Premium Server CA
                         | /emailAddress=premium-server@thawte.com
     not Before          | 26/05/08 00:00
     not After           | 05/06/09 23:59
     Subject             | /C=IT
                         | /ST=BOLOGNA
                         | /L=Sala Bolognese
                         | /O=ARNALDO FORNI EDITORE SRL
                         | /CN=www.fornieditore.com
     Type                | 4145


     Server Request... ok

     [Richiesta Server inviata]
     GET / HTTP/1.0
     User-Agent: myClientTCP
     Host: www.fornieditore.com:443


     Server Response... ok

     [Risposta Server ricevuta]
     HTTP/1.1 302 Found
     Date: Sat, 25 Oct 2008 23:18:33 GMT
     Server: Apache/2.0.54 (Debian GNU/Linux) mod_ssl/2.0.54 OpenSSL/0.9.7k
     Location: http://www.fornieditore.com/
     Content-Length: 212
     Connection: close
     Content-Type: text/html; charset=iso-8859-1

     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
     <html><head>
     <title>302 Found</title>
     </head><body>
     <h1>Found</h1>
     <p>The document has moved <a href="http://www.fornieditore.com/">here</a>.</p>
     </body></html>


     SSL disconnect... ok
     TCP disconnect... ok



