In order to change odds, machine must be in idle mode with no tokens or credits being played. Locate internal toggle switch (red tipped or silver with on/off tabs) or insert key into internal key switch (if your machine came with 2 keys). Machine must be turned OFF. Turn key clockwise or flip reset toggle switch to the 'ON' or 'ODDS' position. You can buy slot machines at ebay, craigslist and many online auction sites. All you need is to decide is what exactly you are looking for as we have here for you used slot machines, some antique which are awesome Vintage collection like some of the old fruit machines.
| Allegro CL version 10.1 Unrevised from 10.0 to 10.1. 10.0 version |
This document contains the following sections:
1.0 Introduction and background2.0 Support for Internet Protocol version 6 (IPv6)
3.0 IP addresses in Allegro CL
4.0 Characteristics
5.0 Stream Sockets
5.1 Connections
5.2 Host Naming
6.0 Variables
7.0 Functions
8.0 Errors
9.0 Sockets and SMP
10.0 Examples
11.0 Secure Socket Layer (SSL)
11.1 The algorithm for loading the OpenSSL library
11.2 SSL History
11.3 Secure connections
11.4 Client/Server
11.5 Authentication
11.6 Certificates
11.7 CRL support
11.8 The Allegro CL SSL API
1.0 Introduction and background
Sockets are a mechanism for interprocess communication designed atU.C. Berkeley for use in their version of Unix. Sockets have beenadded to many other versions of Unix and there is an implementation ofsockets for Windows called Winsock. This document describesthe Allegro interface to sockets. This interface works on Unix and onWindows.
Symbols naming objects in the socket utility are in theacl-socket
package. It has the nicknamesocket
.
The socket module is not included in all versions of Allegro CL. Ifit is present, it is (by default) included in a development image (onebuilt with the include-devel-env argument to build-lisp-image specified true). Toload the socket module if it is not present in an image, evaluate
Note that runtime images cannot include the development environment(so include-devel-env must be specified nil
when a runtime image is being built). If thesocket module is needed, it must be loaded when the image isbuilt. See runtime.htm,building-images.htm anddelivery.htm for more information.
2.0 Support for Internet Protocol version 6 (IPv6)
Allegro CL supports Internet Protocol version 6 sockets (IPv6sockets). As part of this support, several new functions have beenadded and several functions have been modified. The new functions areipv6, get-ip-interfaces, ipaddrp, ipaddr-equalp, ipv6-address-p, and (added in a June,s006 update) dotted-address-p. The modified functions aredotted-to-ipaddr,dns-query, lookup-hostname, make-socket, and send-to. There is also a newvariable *ipv6*
.
The feature :ipv6
is addedto the *features*
list to indicate IPv6 support.
IPv6 support may be unusable on MacOS X 64-bit
Because of apparent bugs in Mac OS X 64-bit, certain IPv6functionality may be restricted or unusable. In particular:
- The get-ip-interfacesfunction will signal an error.
- Name-based scope ids will not work.
3.0 IP addresses in Allegro CL
Throughout the socket documentation, we make use of the term IPaddress. But what exactly is an IP address? Unless furtherclarified in the context in which it is used, an IP address iseither an unsigned 32-bit integer or an ipv6 address structure.
The function socket:ipaddrp returns true when passedan IP adress. That function can be used to identify an object as an IPaddress. (Unsigned 32 bit integers obviously have other uses thatrepresenting IP addresses. The function simply determines whether thetype and form of its argument is suitable as an IP address.)
4.0 Characteristics
There are three independent characteristics of sockets:
type | Valid values: A A |
address family | Valid values: In order to send to another socket the socket must have a name. An On Unix, port numbers less than 1024 can only be allocated by aprocess with the user id of root. A Note that the current version of the socket interface on Windows(Winsock, version 1.1), does not support the |
format | Valid values: This isn't a property of the Unix socket implementation but is instead something we've added for the Common Lisp implementation since a Lisp stream is either binary (supports |
Note on bivalent format:
Starting in release 5.0.1, the bivalent format is accepted forstream sockets. Bivalent means that the stream will accept text andbinary stream functions. That is, you can write-byte or write-char, read-byte or read-char. A bivalent stream is useful in thehttp protocol (used between web browsers and web servers) since inthat protocol the header data is sent in text format and the body canbe in binary data (image files, for example).
Internally a bivalent socket stream is configured like a binarysocket stream with 8 bit bytes. Character position is notmaintained.
Bivalent socket streams have very efficient read-sequence andwrite-sequence implementations (as long as the sequence is either avector of element-type character
, (unsigned-byte8)
or (signed-byte 8)
).
Bivalent socket streams also support the chunking protocol found inhttp/1.1. This protocol allows the sender to signal end of filewithout closing down the stream.
5.0 Stream Sockets
5.1 Connections
Stream sockets have a fourth characteristic called connect,with a value :active
or:passive
. In order to use stream sockets you haveto set up a link between two of them. That link is called aconnection. You set up a connection in this way:
- Machine A: create a passive socket at port port-b:
- Machine B: create an active socket telling it to connect to Machine A,port port-b:
- Machine A: wait for a connect request from anyone and when it occursreturn a stream for I/O:
- When the accept-connection returns, machine A canuse stream str-a to send messages to machine B and machine Bcan use stream
s-b
to send messages to machine A.
Note that steps 2 and 3 can occur in either order.
Note the asymmetry: a passive socket is not a Lisp stream (youcan't do read and write to it). An active socket is a Lisp stream.
When accept-connection
is called on apassive socket, it does not return until a connection is made to thepassive socket. The valueaccept-connection
returns is astream.
As long as the passive socket is not closed, new connections canstill be made to the port of that socket.
An active socket can be used for only one connection. Once thatconnection has been made, the socket should be closed and a new activesocket created.
5.2 Host Naming
Host naming conventions: this package supports three conventionsfor naming a host:
hostname | A string using the domain naming convention, e.g. 'ftp.franz.com'. The domain naming system is case-insensitive. |
dotted | A string which is the printed representation of the numeric address:e.g. '192.132.95.84' . We also support the nonstandard Berkeley extensions to this format for class A addresses:'23.3' (which is the same as'23.0.0.3' ) and class B addresses'128.1.3' (which is the same as'128.1.0.3' ). IPv6 colon hex format, e.g.,'fe80::209:5bff:fe8e:61c1', is also supported. See dotted-to-ipaddr. |
ipaddr | An unsigned 32-bit number, representing the IPv4 address in the native byte order for the host. Thus 192.132.95.84 is 192*2^24 + 132*2^16 + 95*2^8 + 84 = 3229900628. |
IPv6 | An IPv6 address structure. |
6.0 Variables
The variables defined by the interface are:
Please provide the value of this variable when asking for technical support with sockets as it tells us whether you have the latest version.
This variable controls whether the socket printing code converts theip address of a socket into a hostname. This is usually what you want,however this can be a slow process (taking up to a minute toaccomplish). The default value for this variable is t
. See the full description for a discussion of thecauses of the possible slowdown when the value is t
.
Specifies the default value of the ipv6 keywordargument to lookup-hostname and make-socket.
7.0 Functions
The first table shows general functions defined by the interfaceand the second shows accessors.
Function | Arguments | Notes (follow function link for full description) |
accept-connection | (sock passive-socket) &key wait | Generic function. Establishes a connection. If wait is nil and no connection is pending, returns nil and does nothing further. If wait is true (the default), waits until a connection is established. When a connection is established, returns the stream that communicates with the socket. |
dotted-to-ipaddr | dotted &key errorp | Function. Converts a string like '192.132.95.84' or similar format to an unsigned 32-bit IP address. IPv6 'colon hex' address notation, including the %scopeid extension isalso supported as is IPv4-mapped IPv6 address notation(::ffff:w.x.y.z). |
dotted-address-p | object | Function. Returns true if its argument isa string in dotted IP address form. |
get-ip-interfaces | Function. Returns a list of conses of interface id's and names. | |
ipaddr-to-dotted | ipaddr &key values | Function. Convert a 32-bit unsigned IP address, ipaddr , to a string in dotted form. This function works on IPv6 address structures as well. |
ipaddr-equalp | add1 add2&key compare-scope-id | Function. Returns true if its two internet address arguments match. |
ipaddr-to-hostname | ipaddr | Function. Returns, as a string, the hostname of the machine withaddress ipaddr.ipaddr should be a 32-bit IP address or an IPv6address structure or IPv6 colon hex strings. |
ipaddrp | object | Function. Returns true if its argument is an IP address. |
ipv6 | internet-socket | Generic function. Returns true if its argument is an IPv6 socket. |
ipv6-address-p | object | Function. Returns true if its argument is an IPv6 address structure. |
lookup-hostname | hostname | Given a string naming a host, a 32-bit IP address, a stringin dotted form, or a IPv6 address structure or IPv6 colon hex strings,return the 32-bit IP address for the host. |
lookup-port | portnameprotocol | Function. Finds the port number using the symbolic name andthe protocol. |
make-socket | &key type format address-family connect eol ipv6 scope-id &allow-other-keys | Function. See the full description for details. |
with-pending-connect | &body body | Macro. See the full description for details. |
receive-from | (sock datagram-socket) size &key buffer extract | Generic function. This is used to read from a datagram socket. |
send-to | sock &key remote-host remote-port ipv6 scope-id | Generic function with methods for internet-datagram-socketsand file-datagram-sockets |
set-socket-options | sock &key | Generic function for modifying existing sockets. |
shutdown | sock &key direction | Generic function that closes down the specified half of the bidirectional socket connection. |
socket-control | stream &key output-chunking output-chunking-eof input-chunking | This function modifies the state of the socket stream, controlling input and output chunking. |
socket-os-fd | sock | Generic function. Return the operating system file descriptor associated with this socket. |
Socket Accessors
These functions retrieve slot values from socket instances. Thevalues of these slots are set when the socket is created.
Function | Arguments | Notes (follow function link for full description) |
remote-host | socket | Generic function. Returns an IP address. |
local-host | socket | Generic function. Returns an IP address. |
local-port | socket | All are generic functions. All return the values of the particular attribute for socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N. |
remote-filename | socket | |
local-filename | socket | |
remote-port | socket | |
socket-address-family | socket | |
socket-connect | socket | |
socket-format | socket | |
socket-type | socket | |
ipv6 | internet-socket |
8.0 Errors
When errors are raised by the socket interface, Lisp conditions aresignaled. This section describes those conditions.
A condition
is a CLOS class and thus fits intothe hierarchy of CLOS classes. The condition socket-error
is a subclass of the conditionstream-error
.
socket-error
is thesuperclass for all socket related errors. See More oncl:stream-error in errors.htm.
socket-error
denotes operating systemdetected socket errors. It has the following slots:
Name | Reader function | What |
excl::identifier | stream-error-identifier | Symbol denoting this error (see table below) |
excl::code | stream-error-code | Operating system dependent error code (if any) |
excl::action | stream-error-action | String describing the operation in progress when the error occurred |
Handling socket error is difficult because the error returned inexceptional situations can depend on the operating system and theaddress of the other side of the connection. For example, attemptingto make a connection to a machine that is down may result in a'Connection Timed Out' or a 'Host Unreachable'error, or maybe something else on certain systems.
The error codes assigned to socket errors vary from operatingsystem to operating system. We translate a large set of the commonerror codes from a machine dependent number to a symbol which we callthe identifier
to make it easier for you towrite portable code. Condition handling code should check theidentifier field (using stream-error-identifier) If theidentifier value is :unknown
then this is not acommon socket error and the operating system dependent code value ofthe condition must be used.
Possible identifier
values and their meanings:
Identifier | Meaning |
:address-in-use | Local socket address already in use |
:address-not-available | Local socket address not available |
:network-down | Network is down |
:network-reset | Network has been reset |
:connection-aborted | Connection aborted |
:connection-reset | Connection reset by peer |
:no-buffer-space | No buffer space |
:shutdown | Connection shut down |
:connection-timed-out | Connection timed out |
:connection-refused | Connection refused |
:host-down | Host is down |
:host-unreachable | Host is unreachable |
:protocol-not-available | Protocol not available |
:unknown | Unknown error |
9.0 Sockets and SMP
An SMP (symmetric multiprocessing) Lisp runs one of more OS threadswhich can use more than one processor(see multiprocessing.htm). When a socket is openedin one SMP process, do not close it from another process.
Cl Error Code For Babal Slot Machine Jackpots
If you have a process which is reading from a socket and that socketfails so the reading process hangs, you can wake the process up usinga process interrupt. So assuming hung-process is the reading process andhung-socket is the socket, the following form executed in anotherprocess breaks the read (with an error) and closes the socket:
You can also wrap the read in a (catch 'dead-partner...)
and the from another process do:
10.0 Examples
Create an active stream socket connection to a socket that just prints characters to whomever connects to it. After connecting, read the first five characters and print them out. |
Cl Error Code For Babal Slot Machine Machines
Sending a message from frisky to vapor: on vapor: on frisky: Then you see on vapor: A flaw in this example is that on vapor we've left the socket and the stream open and we lost track of the objects to close them. So, while concise, this is not a good programming style. Another problem with this example is that when we created the port on vapor we used a specific port number (9933). This means our program will fail if port 9933 is already in use. If possible, it is best to let the system choose a port number (this is done by not specifying a : |
If we just want to send a simple message then datagrams might be more appropriate (although the program must guarantee that the message made it because datagram communication is unreliable). on vapor: on frisky: on vapor: |
11.0 Secure Socket Layer (SSL)
Allegro CL supports Secure Socket layers as described in this section.Seealso aserve/aserve.html,which describes Webserver support in Allegro CL. Using any httpsfeature in aserve triggers loading of the :ssl
module (i.e. evaluates (require :ssl)
).
Allegro CL loads OpenSSL libraries dynamically whenthe :ssl
module is loaded. Also loaded is theappropriate one of the Allegro CL-specific shared libraries aclssl
, aclissl
, aclssl11
, andaclissl11
. See *aclssl-name*
for descriptions of theseshared library files.
The system must be told either the version of SSL to be loaded (thesystem knows whether it uses 8-bit or 16-bit characters) or exactlywhich of the libraries should be loaded. How this information isdetermined is described in the next section. If the incorrect AllegroCL library is loaded (say aclissl
ratherthan aclissl11
when SSL 1.1 is loaded) there willnot be an immediate error but difficult to debug errors will likelyoccur later.
Newly installed versions of OpenSSL libraries will be usedwhen installed on your computer without (usually) requiring an AllegroCL update. It is however the user's responsibility to ensure thatOpenSSL libraries are available, properly updated, and findable.
To support OpenSSL 1.1, there is a new patch (released in August,2019) that handles that version as well as continuing to handle SSL1.0 (in both cases, all minor SSL releases -- the third number inrelease X.Y.Z -- are also handled.) This documentation has been updated toreflect behavior assuming the new patch has beeninstalled. See sys:update-allegro for information ongetting patches.
Users must themselves download and install OpenSSL libraries for theircomputers, and make sure these are updated when necessary. Further,users must ensure that Allegro CL knows where to find the OpenSSLlibraries. On some platforms, there are standard locations whereAllegro CL will look. On all platforms, environment variables or Lispvariables can be used to specify the library location.
Here is how to set things up for using OpenSSL:
- If your machine automatically installs OpenSSL libraries, it islikely everything will work without furtheraction. Try
(require :ssl)
in Lisp. If it works,you are done. If things load without error, you canconfirm which SSL version is loaded by calling openssl-version. - If your machine does not automatically install and update OpenSSLlibraries, you must get them and update themyourself. See Installing OpenSSL librariesin installation.htm for information on installingOpenSSL libraries. If you install them in the standard location onyour platform, nothing further should berequired. Again try
(require :ssl)
and call openssl-version. If the library cannotbe found, you must set the appropriate environment variable (alwaysprior to starting Allegro CL). - If you want to use a version of the OpenSSL libraries not in thestandard location and perhaps not with their standard names, thatis supported. Simply set the appropriate environment variable and/orLisp variable appropriately. See the next section andalso
*ssl-library-names*
.
In all cases, if (require :ssl)
loadsthe :ssl
module andthe aclssl
/aclissl
library andloads the OpenSSL library without error, you are ready to use SSL.
The function openssl-versionreturns information about the version of the OpenSSL library which isloaded and the version used to buildthe aclssl
/acl1ssl
/aclssl11
/aclissl11
library.
Most Allegro CL platforms support SSL. All that dohave :ssl-support
included onthe *features*
list.
The SSL functionality is in the ssl module. Toensure it is loaded, evaluate (require:ssl)
. Calling either of the two SSL functions, make-ssl-client-stream andmake-ssl-server-stream, automaticallyloads that module.
If you are including the SSL facility in an application intended fordelivery, be sure to include the :ssl
module byadding the keyword :ssl
to the list which is thevalue of the input-files argumentto generate-application. Ifthe copy-shared-libraries argument to thatfunction is false, then the aclssl/aclissl sharedlibrary must be copied explicitly from the Allegro CL installationdirectory to the generated application directory. When the generatedapplication is run, it must be possible to locate the the OpenSSLshared libraries in the same way that is described above.
11.1 The algorithm for loading the OpenSSL library
In this section, we give the exact steps on the various platforms forfinding and loading the OpenSSL library. Usually user want the latestversion available on their machines (so 1.1 if it is available,otherwise 1.0) but there may be cases where 1.0 is wanted even though1.1 is also installed.
To repeat what we said in the previous section: tryevaluating (require :ssl)
. If it worksand openssl-versionindicates the desired version of OpenSSL has been loaded, you are done.
If (require :ssl)
signals an error or results inthe wrong version of OpenSSL being loaded, then you must take furtheraction.
Allegro CL must know the following things in order to loadthe :ssl
module successfully:
- The names of the two OpenSSL library files. These areusually libcrypto and libsslon UNIX machines, libeay32and ssleay32 on Windows, with some extension butusers or the system may have given the files other names. You can tellthe system what these names are by setting the environmentvariable
ACL_SSL_LIBRARY_NAMES
or by setting thevalue of*ssl-library-names*
to something otherthannil
(the variable value overrides theenvironment value). If the variable isnil
and the environment variable is unset, default names are used based onthe OpenSSL version being loaded. See below for how the variable orenvironment variable should be set. If you set either the environmentvariable or the Lisp variable, you must also specify the OpenSSL version,either by setting*aclssl-version*
or by settingtheACL_OPENSSL_VERSION
as described the the thirdbullet. - The location of those OpenSSL libraries. They are looked for usingthe paths listed in
LD_LIBRARY_PATH
(on Solaris andUNIX machines),DYLD_LIBRARY_PATH
(on Macs), andPATH
on Windows machines. - The version of OpenSSL to load (1.0 or 1.1). If the library namesare specified as described in the first bullet above (that is, eitherthe environment variable
ACL_SSL_LIBRARY_NAMES
hasa value or the Lisp variable*ssl-library-names*
is given a non-nil value,you must also specify the OpenSSL version. You do this by setting the Lispvariable*aclssl-version*
to(1 0)
or(1 1)
as the OpenSSL version is 1.0 or 1.1, orsetting the environmentvariableACL_OPENSSL_VERSION
to '10' (meaning OpenSSL1.0) or '11' (meaning OpenSSL 1.1). If the Lisp variable isnon-nil
it overrides the environmentvariable. IfACL_SSL_LIBRARY_NAMES
does not have avalue and*ssl-library-names*
isnil
, then the system checks theenvironment variableACL_SSL_LIBRARY_NAMES
and theLisp variable*aclssl-version*
to determine the version(suitable values are given above). If both are set(and*aclssl-version*
is non-nil
), the environment variable isignored. If the environment variable is not setand*aclssl-version*
isnil
, then the shell command opensslversion is run (thePATH
environment variablemust contain the correct directory to allow that command to run). - The name of the Allegro CL OpenSSL shared library file, a linkageto the OpenSSL libraries on your system. The standard namesare
aclssl
,aclissl
,aclssl11
, andaclissl11
. The 'acl' (no 'i') files are for 8-bitLisps. The 'acli' files are for 16-bit Lisps. The files ending in '11'are for OpenSSL 1.1. The others are for OpenSSL 1.0. The value of the variable*aclssl-name*
is thelibrary name. If*ssl-library-names*
is set to anon-nil
value, the valueof*aclssl-name*
mustalso be set to the correct standard name. If*ssl-library-names*
isnil
but the environmentvariableACL_SSL_LIBRARY_NAMES
has a value, theappropriate one of the associated environmentvariablesACL_ACLSSL_NAME
(for 8-bit Lisps)andACL_ACLISSL_NAME
(for 16-bit Lisps) must be setto the correct standard Allegro CL OpenSSL library name. That value willbe used to set*aclssl-name*
.
With those four pieces of information, Allegro CL can loadthe :ssl
module and associated libraryfiles. Standard defaults are used and usually if (require:ssl)
succeeds, all the needed files are successfully foundand loaded. If (require :ssl)
fails or loads aversion of OpenSSL that is not the desired version, then correctedinformation must be provided so the right files and libraries can befound. We describe how to do that in the remainder of this section.
As described, you can set these variables:
*ssl-library-names*
:if set (and non-nil), all other variables are ignoredexcept*aclssl-name*
,which should be non-nil
. (The variableifnil
will get its value from one of theenvironment variablesACL_ACLSSL_NAME
orACL_ACLISSL_NAME
if the appropriate one, the firstfor 8-bit character Lisps, the second for 16-bit, is set.)ACL_SSL_LIBRARY_NAMES
: if this environment variableis set and*ssl-library-names*
isnil
, all other variables are ignoredexcept*aclssl-name*
,which should be non-nil
. (The variableifnil
will get its value from one of theenvironment variablesACL_ACLSSL_NAME
orACL_ACLISSL_NAME
if the appropriate one, the firstfor 8-bit character Lisps, the second for 16-bit, is set.)*aclssl-version*
: ifset and non-nil
, the value must beeither(1 0)
for OpenSSL 1.0 or(11)
for OpenSSL 1.1. Then*aclssl-name*
is set to the appropriatestandard Allegro CL library name (if already set, that value isignored) and*ssl-library-names*
is set to built-invalues.- None of the variable above are given values: the shellcommand openssl version is run and the system proceeds as if
*aclssl-version*
were set to the valuereturned.
Finding OpenSSL library on Windows:
The procedure above is used. Note only that the valueof *ssl-library-names*
, if set, should be alist of two items, and the value of ACL_SSL_LIBRARY_NAMES, if set,should be a string concatenating two filenames (with extensions)separated by a single space.
Finding OpenSSL library on UNIX and the Mac:
The procedure above is used. Note only that the valueof *ssl-library-names*
, if set, should be atwo-item list. The items can be a string naming a file (withextensions) or a list of strings naming files (withextensions). ACL_SSL_LIBRARY_NAMES, if set, a string concatenating twofilenames (with extensions) separated by a single space.
11.2 SSL History
In 1994 Netscape Corporation designed the Secure Socket Layer (SSL) protocolto provide a means of safely and securely transporting private data(such as credit card numbers) between a Web Browser and a Web Server.Rather than tie SSL to the http protocol, Netscape wrote it as aprotocol for making any TCP/IP connection secure.
At the end of 1994 version 2 of SSL was introduced and this was thefirst version shipped with a commercial web browser (NetscapeNavigator (r)). In 1995 version 3 of SSL was introduced. At thatpoint an international standards organization (IETF) took over work onSSL and introduced Transport Layer Security (or TLS) protocol (whichis based on SSL but has a different handshake protocol). The IETFintroduced TLS version 1.0 in 1999.
Allegro CL, starting in release 6.0, provides an interface thatsupports SSL version 2, SSL version 3 and TLS version1. When we use the name SSL, we mean SSL or TLS.
11.3 Secure connections
A secure TCP connection exists between two processes when both agree on the following:
- A cryptographic algorithm (called a cipher) to convert data (plaintext) toencrypted data (ciphertext) and back to plaintext.
- A secret key to use in the cryptographic algorithm. A secret key is essential since the cryptographic algorithms themselves are wellknown. There is a distinct key for each direction of datatransmission (client to server and server to client).
- An authentication method used in each packet to ensure that thecontents of the packets have not been altered in transit in some way.
These three items are determined via negotiation when theconnection is made and the first data is to be sent.
11.4 Client/Server
In an SSL connection, one side is the client and the other side isthe server. In the http environment, the web browser is the clientand the web server is the server.
When a secure connection is started, the client starts the negotation by telling the server all the possible waysthat it can communicate securely. The server then choosesone of the possible ways and informs the client.
Then the server sends its certificate and possibly other certificatesif they are needed to prove that its certificate can be trusted.The important item in the certificate is the public key forthe server. The client will use this public key to encrypta random value which will be used by both the client and serverto create the keys needed for the cipher chosen for data transmission.
In theory a certificate isn't necessary if both the client andserver side support a key exchange algorithm that can generatea public key on the fly. The SSL libraries we use donot have this capability, thus you must always supply a server certificate.
Once both sides know the keys the other side will use to transmit,the secure data transmission can occur.
11.5 Authentication
The SSL protocol also permits each side of the connection to declare who they are. This is done by the exchange of certificates.The server must send a certificate describing itself to the client. The server can request that the client send a certificate to theserver (although in the use of SSL on the web this is never done).
11.6 Certificates
A certificate is a digital document that stores information aboutan entity in such a way that it can be verified to be true.The primary use of certificates is to store the public keythat can be used to send encrypted messages to the entity.
In the SSL protocol certificates have two uses:
- Encrpytion - by providing a public key they enable encrypted messagesto be sent.
- Authentication - the certificate proves that theentity on the other end of the socket is who it claims to be.
Strictly speaking a certificate isn't required for SSL communicationif both sides support a certain key exchange protocol. The OpenSSL libraries we use do not support this protocol thuswhenever you create a server SSL stream you must supply a certificate (if you don't have your own we supply one in <Allegro directory>/examples/ssl/server.pemthat you can use).
While certificates support authentication, the SSL protocol doesn'trequire that you take advantage of this facility.
A certificate contains the following:
- A Subject Identifier: a set of fields describing where the subjectis geographically and its role within an organization.
- A Subject Public Key: the key that can be used to encrypt messagesthat only the Subject can decrypt since only the Subjecthas the associated private key.
- A Valid Time Interval: the interval of time during which thiscertificate is valid.
- An Issuer Identifier: just like the Subject Identifier but describingthe entity that certifies that the Subject is who it says it isand that the public key is the correct one for the subject.
- An Issuer signature: a value which can be used by anyone toverify that the Issuer and only the Issuer signed this documenttestifying to it being correct.
- Various other fields: like serial numbers, version numbers, andother minor things.
A certificate is a combination of text and binary data and in order tomake it easy to transport certificates they are usually encoded in aform called PEM which turns them into a sequence of printablecharacters.
When a web browser connects to a site via SSL (which is causedby the use of the 'https:' at the beginning of the url), it checks three things about the certificate:
- Does it know the Issuer and did the Issuer sign the certificate? Aweb browser knows about a set of Issuers (called CertificateAuthorities) when it's installed on the machine (the Issuercertificates are part of the files that make up the web browser).
- Is the certificate valid right now or has it expired?
- Is the certificate for the machine we've contacted? If the url was
https://www.foo.com/whatever
then the certificatemust be forwww.foo.com
. The convention used is tostore the name of the server machine in the CommonName slot of theSubject Identifier field of the certificate.
If all three tests pass then the web browser silently accepts thecertificate and does a secure web page access. If any of the testsfail then the web browser notifies the user and waits for a response.Each browser displays the failure differently. For example, theMicrosoft Internet Explorer (r) shows which of the three tests passedand which failed while the Netscape Navigator (r) just says that itreceived an invalid certificate. In both cases the person using theweb browser is given the option of continuing with the webaccess. Transmission will still be secure if it is elected tocontinue. The only issue in doubt is the authenticity of the webserver.
11.7 CRL support
The SSL implementation includes certificate revocation list (CRL)support. CRL checking is controlled bythe crl-check and crl-filekeyword arguments to make-ssl-client-stream andmake-ssl-server-stream.
If you enable CRL checking, you must supply a properPEM-encoded CRL, even if it contains zero revocations. If you do notsupply a CRL, peer verification will never succeed.
11.8 The Allegro CL SSL API
The following operators, variable and class comprise the SSL API. make-ssl-client-stream andmake-ssl-server-streamcreate the streams that are used for communication. All symbols namingthese objects are in the acl-socket
(nicknamedsocket
) package.
- get-ssl-peer-certificate (genericfunction)
- get-ssl-verify-result(generic function)
- make-ssl-server-context (function)
- make-ssl-client-context (function)
- make-ssl-client-stream (function)
- make-ssl-server-stream(function)
- ssl-do-handshake(generic function)
x509-certificate
(class)- x509-certificate-issuer (genericfunction)
- x509-certificate-not-after (genericfunction)
- x509-certificate-not-before (genericfunction)
- x509-certificate-serial-number (genericfunction)
- x509-certificate-issuer (genericfunction)
- x509-certificate-subject (genericfunction)
- x509-certificate-subject-alt-name (genericfunction)
- x509-certificate-version (genericfunction)
The following function, variable, and classes (naming conditions) arerelated to loading and using OpenSSL libraries. The conditions aresignaled when there are problems loading the OpenSSL library. Allthese symbols are in the excl
package.
The file <Allegrodirectory>/examples/ssl/server.pem is a samplecertificate and private key file. You can use this file when startingthe server side of an SSL connection. The AllegroServe facility usesSSL. It is described in aserve/aserve.html.