---------------------------- Original Message ----------------------------
Subject: Re: SSL_renegotiation using non block sockets
From: [EMAIL PROTECTED]
Date: Thu, June 2, 2005 8:41 pm
--------------------------------------------------------------------------
HI Lokesh.,
Thanks for the response. Actually yesterday I spent close to 3hrs
trying all sorts of things, and finally concluded myself that
renegotiation has to be only on blocking sockets. But I thought that was a
restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify
on this?
The thing is once I call renegotiation/do_handshake encrypted
handshake messages are exchanged by the peers but then, checking the
SSL_renegotiate_pending api in a loop wherein I call that for
FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting
read. So
the Client never tried to establish the next new connection.
Could you pls let me more about the SSL_renegotiate_pending() api? I dont
think it reads/writes data, simply returs with Non-Zero if the
renegotiation is still going on and a One for completion.
The main scenerio is for "authentication" wherein after a user has
established a valid SSL_Session, and tries to "Login" into our
application, we want to renegotiate with "client certificate" for extra
priviledges, what I now see is, the response "encrypted handshake msg" is
not read by SSL, its there in the TCP "RecvQ" and I dont know what api to
use so that the server can read that. Will this be solved if it were made
blocking?
Thanks
--Gayathri
HI,
SSL_accept/SSL_connect is something that we use to establish an
initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based
on timers
we install for SSL for re-negotiating KEYs such that hacking the SSL
connection is robust.
Having said that.. I assume you already have an SSL connection established
and
want to implement re-negotiation in your application.
It should go like this....
( OPENSSL says for re-negotiation we should make the underlying
transport BLOCKING)
If openssl version is < 0.9.7
*************************************
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( ssl->state != SSL_ST_OK)
{
/* you may want to implement timeout here, if you want to */
ssl->state |= SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
****************************************************
IF openssl version > 0.9.7
*****************************************************
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( SSL_renegotiate_pending(ssl))
{
/* you may want to implement timeout here, if you want to */
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
***************************************************************
set_blocking and set_nonblocking are functions that can be implemented
very easily using fcntl.
HTH,
Lokesh.
On 6/2/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Thanks pj, the code was real helpful.
>
> Just one minor clarification, once a call to SSL_renegotiate is made,
should I check the protocol status by calling SSL_accept (mine is
server) within the while loop you have? I have gone into an
"accept_pending" state and calling SSL_accept until it returns with a
1..is this correct?
>
> Thanks
> --Gayathri
>
> Hi I did the same thing yesterday myself but because I wanted to
implement a
> timeout solution as well as quick shutdown of my COM object via object
notification. You might be able to hack my work ... this is what I came
up with... It takes a blocking socket, makes it un-blocking...
negotiates with timeout and signalling considerations and then passes
back normal error codes...
>
>
>
> // SSLConnectWithTimeout, connect to a remote server with timeout int
CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
> //-------------------------
> // Set the socket I/O mode: In this case FIONBIO
> // enables or disables the blocking mode for the
> // socket based on the numerical value of iMode.
> // If iMode = 0, blocking is enabled;
> // If iMode != 0, non-blocking mode is enabled.
> int iMode = 1;
>
> LogInformation2("Running SSL non-blocking connection timeout = %ld",
> timeout);
> if (timeout) {
> // establish non- blocking mode to enable us to time out.
ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
> }
>
> // make the connection attempt
>
> int nRet = SSL_connect(ssl);
>
> // if we are using a timeout then ...
> if (timeout) {
> // convert nRet to a real error if necessary
> if (nRet != 1)
> nRet = SSL_get_error(ssl, nRet);
>
> LogInformation2("connect run return value %d.", nRet);
LogInformation1("Starting SSL polling loop");
> // get the start time
> DWORD starttime = timeGetTime();
> while ((nRet==SSL_ERROR_WANT_READ ||
> nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {
>
> // Back off to let the connection happen.
//Sleep(50);
> // reiterate the connection
> nRet = SSL_connect(ssl);
> if (nRet != 1)
> nRet = SSL_get_error(ssl, nRet);
>
> // check for timeout
> if ((timeGetTime() - starttime >= timeout) ||
> m_signalled) {
> // return an error
> nRet = -1;
> break;
> }
> }
> LogInformation2("Finished polling loop signalled? %d",
> m_signalled);
> // if we made it to here with nRet = 1 we are SSL
connected if (nRet == 1) {
> LogInformation2("Successful connection made!
> returning %d.", nRet);
> // turn off non-blocking mode, back to blocking mode
> for the rest
> // of the connection
> iMode = 0;
> ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
> }
> else {
> // just a log the error, remember logging disappears
> when compiled
> // without LOG_BUILD defined.
> LogInformation2("Timeout occurred returning %d.",
> nRet);
> }
> }
> // return connection state.
> return nRet;
> }
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, 2 June 2005 2:14 PM
> To: openssl-users@openssl.org
> Subject: SSL_renegotiation using non block sockets
>
> Hi,
>
> I am using Non Blocking sockets, and would like to
> know the behaviour wrt SSL_renegotiation.
> Once I make a call to do_handshake, as the FD is non
> blocking it will return immediately with a success,
> but from the application's point of view how will it come
> to know that the renegotiation in thro' so that it can
> call SSL_write/SSL_read? Should the application poll on that
> do_handshake flag within the ssl control block?
>
> Any suggestion/help appreciated a lot.
>
> Thanks
> --Gayathri
> ______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> ______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
>
>
> ______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
