Home/ Questions/Q 8267963
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T05:43:06+00:00

I have written a SOAP client using OpenSSL on Linux. I basically did some

  • 0

I have written a SOAP client using OpenSSL on Linux. I basically did some information gathering from OpenSSL website and other online resources and the following code summarises how I send the XML to the SOAP server. 

  SSL_library_init();
  SSL_load_error_strings();
  ERR_load_BIO_strings();
  OpenSSL_add_all_algorithms();

  SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
  SSL* ssl;
  BIO* bio = BIO_new_ssl_connect(ctx);
  if (bio == NULL) {
    SSL_CTX_free(ctx);
    return false;
  }

  BIO_get_ssl(bio, &ssl);
  SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
  char target[]  = "api.betfair.com:https";
  BIO_set_conn_hostname(bio, target);
  BIO_set_nbio(bio,1);
  while (1) {
    if (BIO_do_connect(bio) <= 0) {
      if (!BIO_should_retry(bio)) {
    cout << "Connect failed." << endl;
    BIO_free_all(bio);
    SSL_CTX_free(ctx);         
    return false;
      }      
    } else {
      break;
    }
  }
  KeepAliveReq KeepAliveReq(sessionTok,0,iMode);
  string strMessage = KeepAliveReq.GetXML(false);
  BIO_puts(bio,strMessage.c_str());

This works well enough and has been reliable (if somewhat slow) for a number of weeks. I intentionally omitted the certificate checking phase of the SSL handshake process because at the time I did not really understand the details of it and the server I am sending to is of a well known company. My question is can I assume that my data is being encrypted by the SSL code or not? As far as I can make out from my code, I am not explicitly asking for encryption to occur, I am assuming that this simply occurs as part of the SSL communication process. Has my omission of certificate checking compromised the security of my application with regards to encryption?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your data is still being encrypted—but the question is, to whom?

    The certificate checking process is where we verify that the other party is who they claim to be. When someone orders an SSL certificate, the company who distributes the certificate will undertake measures to ensure they’re giving the certificate and key to the rightful owner of the domain (or other entity) it’s being ordered for. That company will then sign the certificate with their own details, which in turn are signed by a company your computer already trusts.

    When you establish an connection, your computer checks the links to ensure that the certificate is legitimate, i.e. it’s been signed by someone your computer trusts (perhaps indirectly through several layers of trust).

    Skipping this process means anyone could generate a certificate on their own computer for any given website. Assuming they can then hijack connections you make, they can cause your system to believe it’s the well-known company with ease.

    You need to check the certificate to be secure.

    • 0