Userspace libevent2-based TLS wrapping daemon for use with the Secure Socket API
Clone or download
Permalink
Failed to load latest commit information.
extras removed overwrite print out from addons.c file Aug 16, 2018
qrdisplay fixed broken qrpopup.c code Jul 2, 2018
test_files made it so that the simple test goes to the first page of a website s… Aug 27, 2018
.gitignore Working demo Jun 8, 2018
Makefile made make file hostname-support conforment with README Aug 16, 2018
README.md Fixed the link to the kernel module Aug 27, 2018
auth_daemon.c fixed compile warnings for all makefile builds Aug 13, 2018
auth_daemon.h moved conection status macros to .h file Jul 2, 2018
build-client-auth.sh fixed the auto removal of sub-repoes by the build script Aug 10, 2018
config.c Fixing invalid memory access in CSR daemon and fixing config.c to not… Jun 26, 2018
config.h started adding configuration to tls_wrapper Mar 9, 2018
csr_daemon.c fixed compile warnings for all makefile builds Aug 13, 2018
csr_daemon.h start of csr daemon Mar 29, 2018
daemon.c Fixed a timeout issue on connect/handshake Aug 13, 2018
daemon.h Fixing makefile type and addressing resulting warnings Jun 13, 2018
hashmap.c finished adding configuration into tls_wrapper Mar 13, 2018
hashmap.h Merging sock_ctx_t and listener_ctx_t, making sigint handler use sevs Dec 1, 2017
hashmap_str.c Fixing makefile type and addressing resulting warnings Jun 13, 2018
hashmap_str.h finished adding configuration into tls_wrapper Mar 13, 2018
in_tls.h switched TCP to TLS Aug 10, 2018
install_packages.sh exchanged a package for one that also provides ssa.so dependancys Aug 16, 2018
issue_cert.c Fixing invalid memory access in CSR daemon and fixing config.c to not… Jun 26, 2018
issue_cert.h Adding helper for getting private key from memory May 11, 2018
log.c Adding TrustBase integration code from our demo/test VM Apr 19, 2018
log.h fixed compile warnings for all makefile builds Aug 13, 2018
main.c reconfigured main.c to build csrdaemon on default builds Aug 21, 2018
netlink.c Fixing makefile type and addressing resulting warnings Jun 13, 2018
netlink.h Fixing makefile type and addressing resulting warnings Jun 13, 2018
notification.c took another few characters off the disconnected notification Jul 10, 2018
notification.h created an h file for notifications Jul 2, 2018
nsd.c changed install script to work with Ubuntu Linux Aug 16, 2018
nsd.h Code to interface with authentication devices Jun 4, 2018
openssl_compat.c Fixing makefile type and addressing resulting warnings Jun 13, 2018
openssl_compat.h Adding preliminary support for server SNI sockopts and adding files f… Mar 2, 2018
queue.c Adding a queue for finishing up the refactor Nov 20, 2017
queue.h Committing some more changes for synchronization. Not finished, just … Nov 20, 2017
removeClientAuth.sh changed testshopt to paymore all over Jul 24, 2018
self_sign.c Fixing makefile type and addressing resulting warnings Jun 13, 2018
self_sign.h Adding Mark's self-sign code to main Jun 4, 2018
ssa.cfg added default cert store location for ubuntu as a comment Aug 16, 2018
ssa.conf Added config file Feb 6, 2018
startClientAuth.sh made minnor edits to group paths with spaces Aug 9, 2018
tb_communications.h Adding TrustBase integration code from our demo/test VM Apr 19, 2018
tb_connector.c Fixing makefile type and addressing resulting warnings Jun 13, 2018
tb_connector.h Adding TrustBase integration code from our demo/test VM Apr 19, 2018
tls_wrapper.c fixed compile warnings for all makefile builds Aug 13, 2018
tls_wrapper.h Fixing makefile type and addressing resulting warnings Jun 13, 2018

README.md

The Secure Socket API (SSA) Userspace Daemon

The SSA is a Linux kernel module that allows programmers to easily create secure TLS connections using the standard POSIX socket API. This allows programmers to focus more on the developement of their apps without having to interface with complicated TLS libraries. The SSA also allows system administrtors and other power users to customize TLS settings for all connections on the machines they manage, according to their own needs.

Publication

You can read more about the SSA, it's design goals, and features in our USENIX Security 2018 paper

ssa-daemon

Userspace libevent2-based TLS wrapping daemon for use with the SSA

Prerequisites

The SSA has two components - a kernel module and a userspace daemon (this repository). Both need to be installed and running to provide TLS as an operating system service. The kernel component has its own README with installation instructions, and you are encouraged to build and install and component first.

The install_packages.sh script currently installs dependencies for Fedora and Ubuntu systems. You may need to modify this script or install some packages manually if you are using a different Linux distribution.

Compatibility

The SSA is actively developed on Fedora, but may compile and run on other systems with some minor changes.

Using the SSA

We will be providing a formal API specicification in this README and on owntrust.org in the very near future. Eager users are encouraged to see our publication (linked above), code, or to contact us directly with questions.

Status

The SSA is currently a research prototype. As such, it should not yet be used in any mission critical environments. However, we are working toward release as a viable tool for the general public.

Building and Running

You must have the SSA kernel module installed before you build and run the SSA userspace daemon. To install and run the SSA userspace daemon you need to run these commands as root:

  make
  ./tls_wrapper

If you want to also have support for the AF_HOSTNAME address type, run make hostname-support instead of make. This feature will be included by default soon.

Configuration

Configuration is currently in the process of being better-integrated into the userspace daemon. When we finalize the configuration API, it will be specified here and on owntrust.org. See our paper (linked above) for a preview of the types of configuration options administrastors will have.

Notices

The SSA is still undergoing large changes as we finalize the interface between it TrustBase, and other certificate validation strategies. Some commits may disable certificate validation temporarily while we work out the kinks between using TrustBase for traffic interception and using its API for certificate validation.