Re: a couple of newbie questions regarding ssl lib

Sat, 19 Nov 2005 14:20:33 -0800 

Hi there,
Your second question happens to concern what I'm working on right now. Sometimes rather than developping an application "on top" (think layer architecture) of OpenSSL, you might want to give your application control over the network access but still use OpenSSL as a security module that doesn't encapsulate communication. A generic illustration of this kind of scenario is given in the documentation for BIO pairs. 


In my case, I have an API to build applications over a structured 
peer-to-peer network. I want to use OpenSSL for security but I want to 
use this structured network instead of TCP as SSL/TLS's transport layer. 
Then BIOs and BIO pairs are the way to go. (ssltest.c is the place to 
dive into if you ever want to figure out how to use these). Another 
elegant way of doing this is to write a custom BIO...


I hope this helps !

Regards,


Chong Peng wrote:


dear all:

i am new to the open ssl library, after a couple of days source code reading, 
my understanding is that one can either use bio (come with the open ssl lib) or 
standard socket interface to connect ssl protocol to the underlying tcp 
protocol, if i would like to use standard socket to do that, the basic flow is 
as follows:

as tcp client:

socket ---> connect (blocked!) ---> SSL_new               ---> SSL_write
                                   SSL_set_fd                 SSL_read 
(blocked!)
                                   SSL_connect (blocked!)

as tcp server:

socket ---> accept (blocked!) ---> SSL_new                ---> SSL_write
bind                               SSL_set_fd                  SSL_read 
(blocked!)

listen                             SSL_accept (blocked!)  


the SSL_connect/SSL_accept implement a (pretty complicate) state machine that 
is used to do the ssl handshaking, for that purpose, these two functions are 
blocked multiple times on the underlying socket id. after 
SSL_connect/SSL_accept returns, the corresponding ssl link is established and 
ready for io. in the io phase, SSL_read will again be blocked on the undelying 
socket id until data for that link is available.

the questions i have are:


1. do i understand right? 
2. if my understanding is correct, standard socket works pretty well in this picture. why we still need bio? what are things that the bio can do and the standard socket can not?

3. anybody know if there is any doc available about the state machines 
implemented in SSL_connect/SSL_accept?

thanks a lot.

chong peng
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

 




--
Alain Damiral,

Université Catholique de Louvain - student
alain.damiral'at'student.info.ucl.ac.be

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]














    











					Reply via email to