将SSL支持添加到现有的TCP& UDP代码？ [英] Adding SSL support to existing TCP & UDP code?

问题描述

这里是我的问题。

现在我有一个与Windows C ++客户端应用程序通信的Linux服务器应用程序Qt 4.5。）

Right now I have a Linux server application (written using C++ - gcc) that communicates with a Windows C++ client application (Visual Studio 9, Qt 4.5.)

为了确保沟通，最简单的方法是向双方添加SSL支持，而无需完全消除现有协议？

What is the very easiest way to add SSL support to both sides in order to secure the communication, without completely gutting the existing protocol?

这是一个VOIP应用程序，它使用UDP和TCP的组合来初始设置连接和做端口隧道的东西，然后使用UDP流数据。

It's a VOIP application that uses a combination of UDP and TCP to initially set up the connection and do port tunneling stuff, and then uses UDP for the streaming data.

我从头开始创建了安全证书，这对于使这个工作起作用是必要的。

I've had lots of problems in the past with creating the security certificates from scratch that were necessary to get this stuff working.

现有的工作示例代码是理想的。

Existing working example code would be ideal.

谢谢！

推荐答案

SSL非常复杂，因此您将要使用库。

SSL is very complex, so you're going to want to use a library.

有几个选项，例如 Keyczar ， Botan ， cryptlib 等。这些库中的每一个（或其他人建议的库，例如作为Boost.Asio或OpenSSL）将有此示例代码。

There are several options, such as Keyczar, Botan, cryptlib, etc. Each and every one of those libraries (or the libraries suggested by others, such as Boost.Asio or OpenSSL) will have sample code for this.

回答您的第二个问题到现有的代码，而不会引起太多的痛苦）：它将取决于你当前的代码。如果你已经有简单的函数调用Winsock或套接字方法发送/接收 int s， strings 等。那么你只需要重写这些函数的胆量。并且，当然，改变设置套接字的代码开始。

Answering your second question (how to integrate a library into existing code without causing too much pain): it's going to depend on your current code. If you already have simple functions that call the Winsock or socket methods to send/receive ints, strings, etc. then you just need to rewrite the guts of those functions. And, of course, change the code that sets up the socket to begin with.

另一方面，如果你直接调用Winsock / socket函数，可能想编写具有类似语义的函数，但发送数据加密，并用这些函数替换您的Winsock调用。

On the other hand, if you're calling the Winsock/socket functions directly then you'll probably want to write functions that have similar semantics but send the data encrypted, and replace your Winsock calls with those functions.

但是，您可能需要考虑切换到像 Google协议缓冲区或 Apache Thrift （又名Facebook Thrift）。 Google的协议缓冲区文档说，在协议缓冲区之前，有一种请求和响应的格式，使用手动编组/解组合请求和响应，并支持许多版本的协议，这导致了一些非常丑的代码。 ...

However, you may want to consider switching to something like Google Protocol Buffers or Apache Thrift (a.k.a. Facebook Thrift). Google's Protocol Buffers documentation says, "Prior to protocol buffers, there was a format for requests and responses that used hand marshalling/unmarshalling of requests and responses, and that supported a number of versions of the protocol. This resulted in some very ugly code. ..."

您目前处于手动编组/取消编组阶段。它可以工作，事实上我工作的项目确实使用这种方法。但是把它留给图书馆是一件很好的事情。特别是一个已经考虑将来更新软件的图书馆。

You're currently in the hand marshalling/unmarshalling phase. It can work, and in fact a project I work on does use this method. But it is a lot nicer to leave that to a library; especially a library that has already given some thought to updating the software in the future.

如果你走这条路线，你将使用SSL库设置你的网络连接，然后你将通过这些连接推送Thrift / Protocol Buffer数据。而已。它涉及大量重构，但是你最终会得到更少的代码来维护。当我在我提到的项目的代码库中引入Protocol Buffers时，我们能够去掉大约300行的编组/编组代码。

If you go this route you'll set up your network connections with an SSL library, and then you'll push your Thrift/Protocol Buffer data over those connections. That's it. It does involve extensive refactoring, but you'll end up with less code to maintain. When we introduced Protocol Buffers into the codebase of that project I mentioned, we were able to get rid of about 300 lines of marshalling/demarshalling code.

这篇关于将SSL支持添加到现有的TCP& UDP代码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！