RTIP-32 is shipped with the OpenSSL libraries Libcrypto.lib and Libssl.lib as well as all OpenSSL include files in directory Include\openssl. The currently used OpenSSL version is 1.1.0c. Its licensing terms are included in file Include\openssl\LICENSE. Applications can use the OpenSSL API to implement encrypted network communication. For the documentation of OpenSSL, please see Web site www.openssl.org. On Time does not provide technical support for OpenSSL.

In addition, applications can also use the Simplified Networking API with encryption support, declared in header file Include\Sock.h. It is similar to the Berkeley Socket API, but easier to use. It supports UDP, TCP, and TCP encrypted sockets.

SSL/TLS Initialization

Applications, which need encrypted network communication, must first initialize RTIP-32, then initialize OpenSSL, and then call function net_init_ssl to bind RTIP-32 to the OpenSSL library. Demo programs SSLServer and SSLClient do this in their function SSLInitialize:

#include <openssl/ssl.h> 
#include <openssl/err.h> 

void SSLInitialize(void) 
{ 
   SSL_CTX * sctx; 

   SSL_library_init();                         // initialize OpenSSL library 
// sctx = SSL_CTX_new(SSLv23_method());        // create context for server and client 
// sctx = SSL_CTX_new(SSLv23_server_method()); // create server context 
   sctx = SSL_CTX_new(SSLv23_client_method()); // create client context 
   net_init_ssl(sctx);                         // bind RTIP-32 to OpenSSL library 
}

OpenSSL provides many different functions to create an encryption context. The example above shows the recommended function for server/clients, servers, and clients. The default context must then be passed to function net_init_ssl.

To be able to call OpenSSL API functions and function net_init_ssl, the application must link libraries Libcrypto.lib and Libssl.lib after Rtip.lib.

Please note that the OpenSSL functions need a lot of stack space. A minumum of 64k stack size is recommended for all threads which use secure sockets.

Server Certificate Installation

Servers must also install a certificate and private key used for the encryption. Demo programs SSLServer and WebServer do this with this code:

SSL_CTX_set_ecdh_auto(sctx, 1); 
if (SSL_CTX_use_certificate_file(sctx, "cert.pem", SSL_FILETYPE_PEM) != 1) 
{ 
   ERR_print_errors_fp(stderr); 
   Error("SSL_CTX_use_certificate_file failed"); 
} 
if (SSL_CTX_use_PrivateKey_file(sctx, "key.pem", SSL_FILETYPE_PEM) != 1 ) 
{ 
    ERR_print_errors_fp(stderr); 
    Error("SSL_CTX_use_PrivateKey_file failed"); 
}

Files cert.pem and key.pem must be available on the target. For our demos they were created with this OpenSSL command:

openssl req -x509 -new -nodes -keyout key.pem -out cert.pem -days 365

Please note that such a certificate is not signed by a trusted certificate authority. To support certificate verification by clients, a certificate must be purchased from a trusted certificate authority.

Please note that OpenSSL provides many more functions to install a certificate, also in other formats.

SSL/TLS Network Communication

The Berkley Socket API does not support encrypted communication. In particular, the following functions must be replaced with the respective functions of the Simplified Networking API with encryption support:

Berkley Socket API	Simplified Networking API
connect	net_connect
accept	net_accept
recv	net_recv
send	net_send
closesocket	net_closesocket

Encrypted communication is only supported for TCP (SOCK_STREAM) sockets which may be allocated with function socket or net_socket. Before the socket is connected through net_connect, function net_set_socket_secure must be called to place the socket in secure mode. Server master sockets must be placed in secure mode before net_listen or listen is called. As a consequence, all sockets returned by net_accept will already be in secure mode.

Using Jumbo Ethernet Frames