You don't need to go the HTTP route if you don't want to. HTTP is nice for some things, but for some things it is a waste of overhead.

There are several options for building an SSL wrapped service. The simplest is to build an unencrypted service that suits your needs and then wrap it with stunnel. Not particularly perlish, but solid, secure and very unix-y.

The perlish route has many options. Net::SSLeay provides some simple examples. There are also examples with IO::Socket::SSL ... so I guess my question is: what's your question?

How do I make certificates or whatnot, and then how do they get used in the process?

---

Jeff japhy Pinyan, P.L., P.M., P.O.D, X.S.: Perl, regex, and perl hacker
How can we ever be the sold short or the cheated, we who for every service have long ago been overpaid? ~~ Meister Eckhart

(I'm going to answer in unix idiom, as even on Windows boxes I rarely use anything but CygWin for my command line)

SSL certificate pairs are an example of public key cryptography. Another example of this is PGP. The idea is to use the public/private key pair to exchange a faster "session" key which is used to encrypt the actual information transfer. This means that at a minimum there must be a public/private key pair on one of the two systems. Often, this is the server, although the client (or both systems) can have the keys. The format used is based on the x.509 standard, which makes good reading material for insomniacs.

The SSL style of public keys depends upon establishing an absolutely trusted authority to certify that the certificate belongs to the person claiming it. This is called a certifying authority (or CA). Most (but not all) CA's will charge you money to digitally sign your certificate. For this reason, most systems only use this method for sites which must interact with the untrained public.

You can also create your own CA or generate a stand-alone self-signed certificate. If you expect to need multiple SSL services that will not be seen by the public (say you need many internal test systems for your web development firm), then you should set up your own CA. If this is a one-time problem, a self-signed certificate is all you need. (okay, technically all CA's are also self-signed, but for now we'll just concentrate on getting one cert into use before we try to set up a whole bunch of them)

I usually use OpenSSL to manage my certs. If all you need is just the one certificate, all you need to do is:

$ openssl req -new -x509 -keyout cert.crt -out cert.crt \
>  -nodes -sha1 -days 3650
[download]

All of which means "Request a new x509 certificate and key. Put the private and public keys in the same file. Do not require a password on the private key (otherwise you will have to supply a password somehow each time you start up the service). Use the SHA1 hash to sign the request and set it not to expire for ten years." The program will prompt you for a bunch of answers, but the only really important one is:

Common Name (eg, YOUR name) []:
[download]

Which must match the DNS name that the IP you will be listening on resolves to from the client's point of view. So if your service is behind a NAT, you would need to give the name of the external gateway. (Okay, in point of fact, the connection will still work and be encrypted, but if you get into a bad habit now, you'll break a website some day down the road ...)

Your new cert.crt file is now ready for use on the server. For now we will not use a client-side certificate.

A basic SSL server looks like:

use strict;
use IO::Socket::SSL;
my $cert = '/path/to/cert.crt';
my ($sock, $s);
if(!($sock = IO::Socket::SSL->new( Listen => 5,
                   LocalAddr => 'localhost',
                   LocalPort => 9000,
                   Proto     => 'tcp',
                   Reuse     => 1,
                   SSL_key_file => $cert,
                   SSL_cert_file => $cert
                 )) ) {
    warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n";
    exit(0);
}
while (1) {  
  while(($s = $sock->accept())) {
    .
    .
    .
  }
}
[download]

While the client is simply:

use strict;
use IO::Socket::SSL;

my $client = new IO::Socket::SSL('localhost:9000');
  .
  .
  .
[download]

Does any of this help?

---

The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. — Cyrus H. Gordon

Just Google for how to make SSL certificates and you can find a ton of different docs on the subject.

For something as simple as this I would just use a REST interface with something like Apache/mod_perl... but if you want IO::Socket::SSL is just the same as building any other IO::Socket like server code. Just with the SSL happening in the "background" so to speak on the wire. All you really need to do is provide it with the SSL certificate and key you make.

Frank Wiles <frank@revsys.com>
www.revsys.com

-sam

An HTTP server running over SSL is probably fine, I just didn't think I had to go that route. The specifics of the matter are this: my company has a box that takes care of multi-step routines for database tasks, and we want a secure means to talk to it and get a response back (usually a table row's id). These tasks are things like "add object type X number Y to container number Z", which means updating a handful of tables: a non-atomic process that looks atomic from the outside (that is, from the perspective of the person calling addObjectToContainer("person" => 100, 4923).

So I don't care if the mechanism is https://XXX/addObjectToContainer?otype=person&oid=100&cid=4923, really, I just want something simple. I'm not sending objects back and forth. Just simple data TO the server, and an ID number BACK.

---

Jeff japhy Pinyan, P.L., P.M., P.O.D, X.S.: Perl, regex, and perl hacker
How can we ever be the sold short or the cheated, we who for every service have long ago been overpaid? ~~ Meister Eckhart