💾 Archived View for thrig.me › tech › ssl › pingpong.gmi captured on 2024-08-25 at 00:29:14. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-04-19)
-=-=-=-=-=-=-
Ping-pong is a simple system where a server listens for "PING" requests from any clients, and sends a "PONG" response. The client verifies the server, and the server verifies the client; both use the same key and certificates. The task of distributing the key and certificate in a secure fashion to the necessary systems is left as an exercise to the reader. Additional restrictions could be made with a firewall so that only certain IP addresses could access the service.
Something like this service I have used where the management ordered inexpensive UPS against the wishes of the IT group. These UPS could not be plugged into the same host as both UPS used the same identification as far as the UPS software NUT, or Network UPS Tools, was concerned. Therefore I plugged the UPS into two different hosts, and had the hosts communicate the UPS state to one another, and had various logic on when to decide to do mass host shutdowns should both the UPS be running out of battery.
The software that shipped with the UPS was for 32-bit Fedora of a version maybe a decade out of date. Since we were using not 32-bit and not Fedora, the vendor provided software was not adequate, hence the use of NUT.
I'm not sure whether any money was saved, given the time it took to write and debug the software versus simply purchasing more expensive UPS. Maybe it is wise to not point out this sort of troublesome detail to management. On the plus side, the code was easy to adapt into a SSL certificate tester thing.
The implementation is in TCL, which spares me the trouble of learning some modern or popular language. This may also increase the educational value, as the reader may wish to implement the same in some other language, and thus may learn more from so doing.
On OpenBSD 7.2, this requires the tcl and tcltls packages. Get TCL 8.6.
$ doas pkg_add tcl tcltls
...
The code will need valid certificate and key files. Generation of certificates is covered elsewhere.
Assuming the certificate and key are available and that there are no other problems, such as from a firewall, a good run should produce something like:
$ chmod +x pingpong.tcl
$ ./pingpong.tcl host.cert host.cert host.key
SERVER listen 35172
CLIENT localhost 35172 pinging
SERVER client 127.0.0.1 30065
SERVER ponging
CLIENT server said: PONG 1680910728618
CLIENT localhost 35172 pinging
SERVER client 127.0.0.1 37128
SERVER ponging
CLIENT server said: PONG 1680910729172
CLIENT localhost 35172 pinging
SERVER client 127.0.0.1 7786
SERVER ponging
CLIENT server said: PONG 1680910729730
Other clients could connect to this server, provided they use suitable certificate and key values, and the server sticks around long enough to be tested against, which will doubtless require modifying the code to not exit so quickly.
tags #tcl #ssl