HI,
SSL_accept/SSL_connect is something that we use to establish an
initial SSL connection and we use SSL-renegotiate/SSL_do_handshake
based on timers
we install for SSL for re-negotiating KEYs such that hacking the SSL
connection is robust.
Having said that.. I assume you already have an SSL connection established and
want to implement re-negotiation in your application.
It should go like this....
( OPENSSL says for re-negotiation we should make the underlying
transport BLOCKING)
If openssl version is < 0.9.7
*************************************
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( ssl->state != SSL_ST_OK)
{
/* you may want to implement timeout here, if you want to */
ssl->state |= SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
****************************************************
IF openssl version > 0.9.7
*****************************************************
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( SSL_renegotiate_pending(ssl))
{
/* you may want to implement timeout here, if you want to */
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
***************************************************************
set_blocking and set_nonblocking are functions that can be implemented
very easily using fcntl.
HTH,
Lokesh.
On 6/2/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Thanks pj, the code was real helpful.
>
> Just one minor clarification, once a call to SSL_renegotiate is made,
> should I check the protocol status by calling SSL_accept (mine is server)
> within the while loop you have? I have gone into an "accept_pending"
> state and calling SSL_accept until it returns with a 1..is this correct?
>
> Thanks
> --Gayathri
>
> Hi I did the same thing yesterday myself but because I wanted to implement a
> timeout solution as well as quick shutdown of my COM object via object
> notification. You might be able to hack my work ... this is what I came up
> with... It takes a blocking socket, makes it un-blocking... negotiates with
> timeout and signalling considerations and then passes back normal error
> codes...
>
>
>
> // SSLConnectWithTimeout, connect to a remote server with timeout
> int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
> //-------------------------
> // Set the socket I/O mode: In this case FIONBIO
> // enables or disables the blocking mode for the
> // socket based on the numerical value of iMode.
> // If iMode = 0, blocking is enabled;
> // If iMode != 0, non-blocking mode is enabled.
> int iMode = 1;
>
> LogInformation2("Running SSL non-blocking connection timeout = %ld",
> timeout);
> if (timeout) {
> // establish non- blocking mode to enable us to time out.
> ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
> }
>
> // make the connection attempt
>
> int nRet = SSL_connect(ssl);
>
> // if we are using a timeout then ...
> if (timeout) {
> // convert nRet to a real error if necessary
> if (nRet != 1)
> nRet = SSL_get_error(ssl, nRet);
>
> LogInformation2("connect run return value %d.", nRet);
> LogInformation1("Starting SSL polling loop");
> // get the start time
> DWORD starttime = timeGetTime();
> while ((nRet==SSL_ERROR_WANT_READ ||
> nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {
>
> // Back off to let the connection happen.
> //Sleep(50);
> // reiterate the connection
> nRet = SSL_connect(ssl);
> if (nRet != 1)
> nRet = SSL_get_error(ssl, nRet);
>
> // check for timeout
> if ((timeGetTime() - starttime >= timeout) ||
> m_signalled) {
> // return an error
> nRet = -1;
> break;
> }
> }
> LogInformation2("Finished polling loop signalled? %d",
> m_signalled);
> // if we made it to here with nRet = 1 we are SSL connected
> if (nRet == 1) {
> LogInformation2("Successful connection made!
> returning %d.", nRet);
> // turn off non-blocking mode, back to blocking mode
> for the rest
> // of the connection
> iMode = 0;
> ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
> }
> else {
> // just a log the error, remember logging disappears
> when compiled
> // without LOG_BUILD defined.
> LogInformation2("Timeout occurred returning %d.",
> nRet);
> }
> }
> // return connection state.
> return nRet;
> }
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Thursday, 2 June 2005 2:14 PM
> To: openssl-users@openssl.org
> Subject: SSL_renegotiation using non block sockets
>
> Hi,
>
> I am using Non Blocking sockets, and would like to
> know the behaviour wrt SSL_renegotiation.
> Once I make a call to do_handshake, as the FD is non
> blocking it will return immediately with a success,
> but from the application's point of view how will it come
> to know that the renegotiation in thro' so that it can
> call SSL_write/SSL_read? Should the application poll on that
> do_handshake flag within the ssl control block?
>
> Any suggestion/help appreciated a lot.
>
> Thanks
> --Gayathri
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
