SSL stands for Secure Socket Layer, a protocol developed by Netscape for secure transactions across the Web. SSL uses a form of public key encryption, where the information can be encoded by the browser using a publicly available public key, but can only be decoded by someone who knows the corresponding private key.

The most common ciphers used with SSL are RC2 and RC4. These ciphers use 128-bit keys, which offers a high degree of security. An "export" version of these ciphers is also available; the export versions use 40-bit keys, but are otherwise idential to their equivalent 128-bit versions. Inside the USA a license from RSA is required to use these ciphers.

The Sambar Server is designed to integrate either the publically available SSLeay package from OpenSSL and/or RSA SSL-C. Neither of these packages are shipped with the Sambar Server, they must be purchased or downloaded from their respective suppliers and placed in the bin directory. United States users are required to use the RSA SSL-C package until the RSA patent expires on September 20, 2000.

Note: The current version of the Sambar Server has been tested with the SSLeay DLLs v0.9.0 (10-Apr-1998) and the OpenSSL v0.9.5a DLLs. The SSLeay libraries are the predecessor to OpenSSL; these packages should be compatible. Further, the RSA SSL-C package is also purported to be compatible with SSLeay; regretably four phone calls to the company and three e-mails have gone unanswered with regards to obtaining this package for compatibility testing.

Configuration
The SSL DLLs are not shipped with the Sambar Server. In order to run in secure mode, the appropriate Sambar Server configuration parameters must be set and the SSLeay DLLs ssleay32.dll and libeay32.dll must be placed in the bin directory where the Sambar Server is installed. If these DLLs are not present, the server will fail to initialize the HTTPS server.

Details
During initialization, if the Act as HTTPS configration parameter is set to true the server attempts to load the SSL library from the bin directory using the operating system dynamic loader (LoadLibrary/dlsym). The following function names must be present in the library:

libeay32.dll:CRYPTO_set_locking_callback
libeay32.dll:RSA_generate_key
ssleay32.dll:SSL_load_error_strings
ssleay32.dll:SSLeay_add_sll_algorithms or SSL_library_init
ssleay32.dll:SSLv23_server_method
ssleay32.dll:SSL_CTX_new
ssleay32.dll:SSL_CTX_free
ssleay32.dll:SSL_CTX_ctrl
ssleay32.dll:SSL_CTX_use_certificate_file
ssleay32.dll:SSL_CTX_use_PrivateKey_file
ssleay32.dll:SSL_new
ssleay32.dll:SSL_free
ssleay32.dll:SSL_set_shutdown
ssleay32.dll:SSL_set_fd
ssleay32.dll:SSL_connect
ssleay32.dll:SSL_accept
ssleay32.dll:SSL_get_current_cipher
ssleay32.dll:SSL_CIPHER_get_name
ssleay32.dll:SSL_get_version
ssleay32.dll:SSL_get_error
ssleay32.dll:SSL_pending
ssleay32.dll:SSL_set_read_ahead
ssleay32.dll:SSL_read
ssleay32.dll:SSL_write


Upon accepting a connection on the HTTPS port, the function SSL_get_current_cipher() is called to determine what cipher is being used to connect to the server. Regardless of how the SSL package has been configured, only the following ciphers are accepted by the Sambar Server (all other connections are issued a rejection message):

SSL_RC4_64_WITH_MD5
SSL_RC4_128_WITH_MD5
SSL_RC4_128_EXPORT40_WITH_MD5
SSL_RC4_128_CBC_WITH_MD5
SSL_RC4_128_CBC_EXPORT40_WITH_MD5


Note: My original application only requested 40-bit export approval. The list above includes the 128-bit ciphers. My understanding of the new government regulations is that 128-bit ciphers are acceptable at this time (12/27/2000).