Hi there,
On Tue, 29 Aug 2000, Andreas Jungmaier wrote:
> After looking through the openssl-source code I figured (since there
> are BIO-class implementations for memory i/o, socket i/o as well as
> remote procedure call-based i/o and a BIO-null class template) that
> it should be possible to adapt the OpenSSL in a way transparent to
> the transport protocol.
It is, and there's a number of ways to skin the same cat. BIO-pairs are
one way to make it easier to connect *external* transport-support code to
a memory-only OpenSSL environment, creating BIO types specific to your
protocol is also possible (so it hooks directly to whatever your
equivalents are for the various TCP operations used in the corresponding
socket BIOs). From an application point of view, it is also possible to
simply use OpenSSL itself inside a state-machine and control the
to-and-fro of data outside OpenSSL altogether. However, that is less an
answer to your specific question because by definition, this has nothing
to do with your transport layer just as much as it has nothing to do with
TCP itself, or IPv4, or domain sockets, etc.
> But how and where do you specify, that the SSL-functions
> (e.g. SSL_write(), SSL_read()) use a different BIO-class ?
> Do you do this by implementing an appropriate TLSv1_method()
> constructor ?
No, you can avoid the use of SSL_write/SSL_read by pushing a filter BIO
(or was it source-sink? I always muddle those up) on top of the SSL. So
your reads/writes on both sides of the SSL are BIOs. I avoid it because I
lose clarity (SSL_read/write is for clear-text, the BIOs represent the
encrypted side), and there's also some odd reference-count issues
associated with pushing a BIO onto the SSL, but it's probably exactly what
you want. Coding a new SSL/TLS method constructor is similarly exactly
what you *don't* want to do. :-)
BTW: I recently posted (yesterday) a new demo in OpenSSL, it should be
inside last night's snapshot on the website. This is the approach I
mentioned where OpenSSL sits in a state machine with 4 exposed buffers -
and where those buffers are emptied to or filled from is up to the outside
application. It may not answer your exact question, but may be useful from
the point of view of getting a working prototype up quickly - you replace
the network code (if indeed you're doing SSL over a network at all) inside
the application rather than having to replace the network code (or BIO
code) inside OpenSSL itself. It's in the demos/tunala directory in
OpenSSL, and yesterday's post had the subject "new non-blocking IO /
state-machine demo".
Cheers,
Geoff
> Any answers/pointers to documentation are greatly appreciated,
Likewise - please point us to your transport stuff as/when available.
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
