What's SSL?

Submitted by javelin on Tue, 2003-09-02 09:29

Since the additional of SSL support in the PennMUSH server, I've had several people ask me "What's SSL?" Here's a short answer (for a long answer, visit http://www.openssl.org and read up.)

SSL is short for "Secure Sockets Layer", and refers to a network protocol developed originally by Netscape for secure web browsing. Those 'https://' links refer to http-over-SSL. There are two major versions of SSL (SSLv2 and SSLv3), and the final version was renamed TLSv1 (Transport Layer Security).

SSL/TLS provides three functions that PennMUSH can take advantage of. In order of ease of use, these are:

  • Encrypting the connection to prevent eavesdropping and tampering (insuring privacy and integrity of data)
  • Authenticating the MUSH server to the client, to prevent another system from pretending to be the server and capturing data (insuring privacy and identity)
  • Authenticating the MUSH client to the server, to control access to the server by only allowing authenticated clients to connect, and by logging the identity details of clients who connect.

When PennMUSH is compiled with SSL support, it can be instructed (in mush.cnf) to listen on a second port for SSL connections. It is suggested that you use the port number one higher than your usual MUSH port (e.g. 4201 for normal connections, 4202 for SSL). SSL-enabled clients should connect to the SSL port on the server.

Without any special work, you automatically get the benefits of encryption, as long as the client can support "anonymous ciphers" (and they usually can). Assuming that the client connects to the right server, this protects the user's password and all their data transmitted to the MUSH from being eavesdropped over the network. (Of course, data can still be eavesdropped on the MUSH itself if the server is configured to log commands).

If you want your users to know for sure that they're connecting to the right MUSH, you can get an SSL certificate for your MUSH host, and tell PennMUSH to present it when a client connects. This requires that the client know how to verify the certificate, which most clients don't. So this isn't likely to be used a lot for now.

Similarly, if you want to authenticate clients, you can arrange to issue SSL client certificates to them. PennMUSH does know how to do some verification of client certificates, and can be told to require a valid certificate, but most clients don't know how to present one. So this isn't likely to be used a lot for now.

Which clients support SSL? Currently, I know of two clients that support SSL 'natively': tf5 and BeipMU.

But if you use another client, you're not out of luck. Get yourself the excellent stunnel program from http://www.stunnel.org. Stunnel runs on many operating systems and creates an SSL tunnel - it connects to the server's SSL port and your client connects to a local port that stunnel listens on. Stunnel then relays all the data from your client to the server and takes care of all the SSL stuff -- including both client and server certificates if you wish.

Here's my stunnel.conf file for connecting to M*U*S*H with MUSHclient on a Windows machine:

client = yes
output = logfile.txt
[mush]
connect = mush.pennmush.org:4202
accept = localhost:4202

As you can see, you don't have to tell it much. The first line says that Stunnel should function as a client (it can be a server, too), and the second where it should log messages. Then the [mush] stanza defines a connection named 'mush': stunnel will connect to mush.pennmush.org:4202 and will listen on port 4202 on the client host. Now you run stunnel and you tell MUSHclient to connect to localhost, port 4202, and you're done.

For users, using PennMUSH with SSL is just like using PennMUSH without SSL, except that you can't stay connected to the server during a @shutdown/reboot because of the nature of the SSL protocol (this is, in a sense, a security feature). (The PennMUSH developers may soon program a way around that, however, by separating the process that manages connections from the part that usually needs to reboot.)

More answers about SSL are given in the README.SSL included with PennMUSH and at OpenSSL's web site.