This is the main page for ETSI's implementation of Middlebox Security Protocols (MSP) in OpenSSL, produced and maintained by TC Cyber. It is for developers to use in order to build the MSP OpenSSL library, to run the demonstration programs, to use the library in development of their own software and to contribute to the development of the library itself.
Current Implementation Status
|TS 103 523-2||Transport layer MSP, Profile for fine grained access control||In Progress|
|TS 103 523-3||Transport layer MSP, Profile for data centre access control||In Progress|
Compiling the library (Unix/Linux)
- Download the library from the git repository. git clone https://forge.etsi.org/gitlab/cyber/MSP-OpenSSL
- Configure the build environment by running the config script. The configure script has many options and the behaviour can be changed by environment variables. Some useful ones are:
- --openssldir=OPENSSLDIR - to change the default path where the final version of the library will be installed.
- [no-]shared - to change whether shared libraries are built.
- Run make to compile the library
- Run make install to copy the compiled library into the installation directory (default: /usr/local/openssl)
The evaluation/demonstration folder contains source code and scripts to build demonstration programs, a client, middlebox and server. Within the evaluations folder, subfolders contain scripts to run the client, middlebox and server in different configurations to demonstrate the MSP capabilities. The following demonstrations are currently available
|Demo 1 - Simple Middlebox||A simple server that will echo any command back to the client, to demonstrate how to use the API in OpenSSL to build a client, server and middlebox and to set up the connection between them.|
|Demo 2 - Multiple Contexts||A demonstration of sending data in different contexts and how the permission of the middlebox to inspect the content can be restricted by either the client or the server.|
|Demo 3 - No Reencryption||A demonstration of a middlebox that can change the content, to show that a middlebox can modify the data but does not need to unless the contents are changed. This allows a middlebox to drop out of a connection that it does not need to monitor beyond the setup.|