---------------------------- Original Message ---------------------------- Subject: Re: SSL_renegotiation using non block sockets From: [EMAIL PROTECTED] Date: Thu, June 2, 2005 8:41 pm --------------------------------------------------------------------------
HI Lokesh., Thanks for the response. Actually yesterday I spent close to 3hrs trying all sorts of things, and finally concluded myself that renegotiation has to be only on blocking sockets. But I thought that was a restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify on this? The thing is once I call renegotiation/do_handshake encrypted handshake messages are exchanged by the peers but then, checking the SSL_renegotiate_pending api in a loop wherein I call that for FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting read. So the Client never tried to establish the next new connection. Could you pls let me more about the SSL_renegotiate_pending() api? I dont think it reads/writes data, simply returs with Non-Zero if the renegotiation is still going on and a One for completion. The main scenerio is for "authentication" wherein after a user has established a valid SSL_Session, and tries to "Login" into our application, we want to renegotiate with "client certificate" for extra priviledges, what I now see is, the response "encrypted handshake msg" is not read by SSL, its there in the TCP "RecvQ" and I dont know what api to use so that the server can read that. Will this be solved if it were made blocking? Thanks --Gayathri HI, SSL_accept/SSL_connect is something that we use to establish an initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based on timers we install for SSL for re-negotiating KEYs such that hacking the SSL connection is robust. Having said that.. I assume you already have an SSL connection established and want to implement re-negotiation in your application. It should go like this.... ( OPENSSL says for re-negotiation we should make the underlying transport BLOCKING) If openssl version is < 0.9.7 ************************************* SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( ssl->state != SSL_ST_OK) { /* you may want to implement timeout here, if you want to */ ssl->state |= SSL_ST_ACCEPT; SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; **************************************************** IF openssl version > 0.9.7 ***************************************************** SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( SSL_renegotiate_pending(ssl)) { /* you may want to implement timeout here, if you want to */ SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; *************************************************************** set_blocking and set_nonblocking are functions that can be implemented very easily using fcntl. HTH, Lokesh. On 6/2/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Thanks pj, the code was real helpful. > > Just one minor clarification, once a call to SSL_renegotiate is made, should I check the protocol status by calling SSL_accept (mine is server) within the while loop you have? I have gone into an "accept_pending" state and calling SSL_accept until it returns with a 1..is this correct? > > Thanks > --Gayathri > > Hi I did the same thing yesterday myself but because I wanted to implement a > timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... > > > > // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { > //------------------------- > // Set the socket I/O mode: In this case FIONBIO > // enables or disables the blocking mode for the > // socket based on the numerical value of iMode. > // If iMode = 0, blocking is enabled; > // If iMode != 0, non-blocking mode is enabled. > int iMode = 1; > > LogInformation2("Running SSL non-blocking connection timeout = %ld", > timeout); > if (timeout) { > // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); > } > > // make the connection attempt > > int nRet = SSL_connect(ssl); > > // if we are using a timeout then ... > if (timeout) { > // convert nRet to a real error if necessary > if (nRet != 1) > nRet = SSL_get_error(ssl, nRet); > > LogInformation2("connect run return value %d.", nRet); LogInformation1("Starting SSL polling loop"); > // get the start time > DWORD starttime = timeGetTime(); > while ((nRet==SSL_ERROR_WANT_READ || > nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) { > > // Back off to let the connection happen. //Sleep(50); > // reiterate the connection > nRet = SSL_connect(ssl); > if (nRet != 1) > nRet = SSL_get_error(ssl, nRet); > > // check for timeout > if ((timeGetTime() - starttime >= timeout) || > m_signalled) { > // return an error > nRet = -1; > break; > } > } > LogInformation2("Finished polling loop signalled? %d", > m_signalled); > // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { > LogInformation2("Successful connection made! > returning %d.", nRet); > // turn off non-blocking mode, back to blocking mode > for the rest > // of the connection > iMode = 0; > ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); > } > else { > // just a log the error, remember logging disappears > when compiled > // without LOG_BUILD defined. > LogInformation2("Timeout occurred returning %d.", > nRet); > } > } > // return connection state. > return nRet; > } > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 2 June 2005 2:14 PM > To: openssl-users@openssl.org > Subject: SSL_renegotiation using non block sockets > > Hi, > > I am using Non Blocking sockets, and would like to > know the behaviour wrt SSL_renegotiation. > Once I make a call to do_handshake, as the FD is non > blocking it will return immediately with a success, > but from the application's point of view how will it come > to know that the renegotiation in thro' so that it can > call SSL_write/SSL_read? Should the application poll on that > do_handshake flag within the ssl control block? > > Any suggestion/help appreciated a lot. > > Thanks > --Gayathri > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]