💾 Archived View for thrig.me › tech › ssl › pingpong.gmi captured on 2023-11-04 at 12:59:42. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-04-19)

-=-=-=-=-=-=-

Ping-Pong

Ping-pong is a simple system where a server listens for "PING" requests from any clients, and sends a "PONG" response. The client verifies the server, and the server verifies the client; both use the same key and certificates. The task of distributing the key and certificate in a secure fashion to the necessary systems is left as an exercise to the reader. Additional restrictions could be made with a firewall so that only certain IP addresses could access the service.

Something like this service I have used where the management ordered inexpensive UPS against the wishes of the IT group. These UPS could not be plugged into the same host as both UPS used the same identification as far as the UPS software NUT, or Network UPS Tools, was concerned. Therefore I plugged the UPS into two different hosts, and had the hosts communicate the UPS state to one another, and had various logic on when to decide to do mass host shutdowns should both the UPS be running out of battery.

The software that shipped with the UPS was for 32-bit Fedora of a version maybe a decade out of date. Since we were using not 32-bit and not Fedora, the vendor provided software was not adequate, hence the use of NUT.

I'm not sure whether any money was saved, given the time it took to write and debug the software versus simply purchasing more expensive UPS. Maybe it is wise to not point out this sort of troublesome detail to management. On the plus side, the code was easy to adapt into a SSL certificate tester thing.

Code

The implementation is in TCL, which spares me the trouble of learning some modern or popular language. This may also increase the educational value, as the reader may wish to implement the same in some other language, and thus may learn more from so doing.

pingpong.tcl

On OpenBSD 7.2, this requires the tcl and tcltls packages. Get TCL 8.6.

    $ doas pkg_add tcl tcltls
    ...

The code will need valid certificate and key files. Generation of certificates is covered elsewhere.

certificates.gmi

minimum-ca.gmi

Assuming the certificate and key are available and that there are no other problems, such as from a firewall, a good run should produce something like:

    $ chmod +x pingpong.tcl
    $ ./pingpong.tcl host.cert host.cert host.key
    SERVER listen 35172
    CLIENT localhost 35172 pinging
    SERVER client 127.0.0.1 30065
    SERVER ponging
    CLIENT server said: PONG 1680910728618
    CLIENT localhost 35172 pinging
    SERVER client 127.0.0.1 37128
    SERVER ponging
    CLIENT server said: PONG 1680910729172
    CLIENT localhost 35172 pinging
    SERVER client 127.0.0.1 7786
    SERVER ponging
    CLIENT server said: PONG 1680910729730

Other clients could connect to this server, provided they use suitable certificate and key values, and the server sticks around long enough to be tested against, which will doubtless require modifying the code to not exit so quickly.

https://www.tcl-lang.org/

index.gmi

tags #tcl #ssl