SWI-Prolog SSL Interface
Jan van der Steen
Diff Automatisering v.o.fJan Wielemaker
SWI, University of Amsterdam
The Netherlands
E-mail: jan@swi-prolog.org
This document describes the SWI-Prolog SSL library, a set of predicates
which provides secure sockets to Prolog applications, for example to run
a secure HTTPS server, or access websites using the https
protocol. It can also be used to provide authentication and secure data
exchange between Prolog processes over the network.
|
Raw TCP/IP networking is dangerous for two reasons. It is hard to tell whether the body you think you are talking to is indeed the right one and anyone with access to a subnet through which your data flows can `tap' the wire and listen for sensitive information such as passwords, creditcard numbers, etc. Secure Socket Layer (SSL) deals with both problems. It uses certificates to establish the identity of the peer and encryption to make it useless to tap into the wire. SSL allows agents to talk in private and create secure web services.
The SWI-Prolog library(ssl)
library provides an API very
similar to
library(socket)
for raw TCP/IP connections that provides
SSL server and client sockets.
The SWI-Prolog SSL interface is built on top of the OpenSSL library. This library is commonly provided as a standard package in many Linux distributions. The MS-Windows version is built using a binary distribution available from http://www.slproweb.com/products/Win32OpenSSL.html.
A good introduction on key- and certificate handling for OpenSSL can be found at http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
An SSL server and client can be built with the following (abstracted) predicate calls:
SSL server | SSL client |
ssl_init/3 | ssl_init/3 |
ssl_accept/3 | |
ssl_open/4 | ssl_open/3 |
... | ... |
ssl_exit/1 | ssl_exit/1 |
What follows is a description of each of these functions and the arguments they accept.
server
or client
denotes whether the SSL socket will have a server or client role in the
established connection. With Options various properties of
the TCP/IP + SSL connection can be defined, some of which required, some
optional. An overview is given below. The handle of the connection is
returned in SSL.
Below is an overview of the Options argument. Some options are only required by the client (C), some are required by the server (marked S), some by both server as client (marked CS).
function(+SSL, -Password)
function(+SSL, +Certificate, +Error)
. Access will be
granted iff the predicate succeeds.
certificate_file
described earlier. For a server this option is automatically turned on.
socket.pl
provided by the clib package.
Examples of a simple server and client as well as a simple HTTPS
server can be found in the example directory which is located in
doc/packages/examples/ssl
relative to the SWI-Prolog
installation directory. The etc
directory contains example
certificate files as well as a README
on the creation of
certificates using OpenSSL tools.
The OpenSSL libraries are not part of the SWI-Prolog distribution and on systems using packagers with dependency checking, dependency on OpenSSL is deliberatly avoided. This implies that OpenSSL must be installed seperatly before using SSL with a binary distribution of SWI-Prolog. Most modern Linux distributions have an SSL package. An installer for MS-Windows is available from http://www.slproweb.com/products/Win32OpenSSL.html The SWI-Prolog SSL interface is currently built using OpenSSL 0.97b.
When installing from the source, the package configuration
automatically builds the ssl library if a suitable OpenSSL
implementation is found. On Windows systems, OpenSSL must be installed
prior to building SWI-Prolog and rules.mk
must be edited to
reflect the position of the header and libraries if they are not in the
standard search path.
The development of the SWI-Prolog SSL interface has been sponsored by Scientific Software and Systems Limited.