23

If we have a proprietary binary protocol used by some application, can we use SSL/TLS to encrypt the protocol's payload without tunneling it through HTTP?

Peter Mortensen
  • 885
  • 5
  • 10
HSN
  • 968
  • 5
  • 14
  • It's a while back since we looked at this, but the SSLeay/OpenSSL demo files came with sample files (`serv.cpp` and `cli.cpp`) from which you can layer SSL (and, presumably, TLS) over a normal socket connection. In essence: you first create a "context" at each end (using the certificate on the server end), then after opening the socket (but before sending any of _your_ data), you add calls to `SSL_connect()` or `SSL_accept()`. It's then mostly a matter of mapping `send()` and `recv()` calls into `SSL_write()` and `SSL_read()`. – TripeHound Mar 20 '17 at 10:12
  • 14
    I'm voting to close this question as off-topic because it lacks basic research – paj28 Mar 20 '17 at 13:33
  • 2
    TLS = Transport Layer Security. HTTP is at the application layer, above the transport layer. So yes, of course you can use TLS without HTTP. – Ajedi32 Mar 20 '17 at 15:22
  • http://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files – david25272 Mar 21 '17 at 00:36
  • 1
    @paj28 I agree it seems to lack basic research, but StackExchange **is** a source of research for many professionals. Where is the line? – Pedro Mar 21 '17 at 00:41
  • I think it should stay. If more people (especially politicians) stopped to wonder whether the same encryption that underpins the world's economy could be used for other purposes, it might stop them trying to ban encryption. – david25272 Mar 21 '17 at 00:45
  • 1
    @david25272 I'm not seeing what this question has to do with that, except that they both involve encryption. – user253751 Mar 21 '17 at 04:37
  • Technically this is on-topic. It's also a duplicate to our canonical question [How does SSL/TLS work](https://security.stackexchange.com/q/20803/5405). – S.L. Barth Mar 21 '17 at 12:13

2 Answers2

38

Can we use SSL/TLS to encrypt the protocol's payload without tunneling it through HTTP?

Absolutely. TLS provides secure communication on top of the transport layer and you can easily employ it as a transparent wrapper around your own custom protocols.

   One advantage of TLS is that it is application protocol independent.
   Higher-level protocols can layer on top of the TLS protocol
   transparently.  The TLS standard, however, does not specify how
   protocols add security with TLS; the decisions on how to initiate TLS
   handshaking and how to interpret the authentication certificates
   exchanged are left to the judgment of the designers and implementors
   of protocols that run on top of TLS.

(from RFC 5246 for TLS 1.2)

HTTP just happens to be one possible application-layer protocol that is commonly transmitted over TLS. There are many other examples where TLS is added to secure a protocol that has no built-in encryption. E.g., if you use a desktop email client, the communication with the mail server (probably using IMAP/POP3/SMTP) will likely be wrapped in TLS, too. TLS can also be used as an encrypted tunnel for the entire network stack for VPN applications (although OpenVPN only uses TLS for authentication, not for for encrypting the actual data - thanks, @ysdx).

Arminius
  • 44,242
  • 14
  • 143
  • 138
  • Don't forget IRC! – Nayuki Mar 20 '17 at 18:57
  • 1
    AFAIU, OpenVPN does **not** use TLS for encrypting the payload (packets). As explained, in the page you mention, TLS is only used for « for the authentication and key exchange mechanism » (the control channel). The tunneled packets themselves (the data channel) are not encapsulated in the TLS layer. See https://openvpn.net/index.php/open-source/documentation/security-overview.html, « P_CONTROL_V1 -- Control channel packet (usually TLS ciphertext) » vs « P_DATA_V1 -- Data channel packet containing actual tunnel data ciphertext ». – ysdx Mar 21 '17 at 08:28
17

Yes, TLS can be used for general transport layer security (as the name suggests). A few common uses:

  • HTTP (HTTPS)
  • FTP (FTPS)
  • SMTP (SMTPS)
  • VPN
Xiong Chiamiov
  • 9,402
  • 2
  • 35
  • 78