Thanks for your advice.
I have another question. If I don't use socket, how could I make TLS
handshake happen?
For example:
incoming data ----> TLS engine ----> outgoing data
My application get the incoming data from the client, and I feed it to the
TLS engine, and then TLS engine give me the outgoing data which the
application will send to the client.
It seems like that my application is an agent of the client for both TLS
handshake and TLS data transmission.
How could I do it?
On Wed, May 18, 2011 at 11:53 AM, Rene Hollan <rene.hol...@watchguard.com>wrote:
> You CAN use openssl as an engine, with bio pairs.
>
>
> Look here: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html:
>
> Using BIOs for SSL Data Transmission (Optional)
>
> Instead of using SSL_write() and SSL_read(), you can transmit data by
> calling BIO_puts() and BIO_gets(), and BIO_write() and BIO_read(),
> provided that a buffer BIO is created and set up as follows:
>
> BIO *buf_io, *ssl_bio;
> char rbuf[READBUF_SIZE];
> char wbuf[WRITEBUF_SIZE]
>
> buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */
> ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */
> BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */
> BIO_push(buf_io, ssl_bio); /* add ssl_bio to buf_io */
>
> ret = BIO_puts(buf_io, wbuf);
> /* Write contents of wbuf[] into buf_io */
> ret = BIO_write(buf_io, wbuf, wlen);
> /* Write wlen-byte contents of wbuf[] into buf_io */
>
> ret = BIO_gets(buf_io, rbuf, READBUF_SIZE);
> /* Read data from buf_io and store in rbuf[] */
> ret = BIO_read(buf_io, rbuf, rlen);
> /* Read rlen-byte data from buf_io and store rbuf[] */
>
> And also here: http://www.openssl.org/docs/crypto/BIO_new_bio_pair.html:
>
> The BIO pair can be used to have full control over the network access of an
> application. The application can call select() on the socket as required
> without having to go through the SSL-interface.
>
>
> The idea is that you have SSL use a bio that is one half of a bio pair:
> SSL will read and write from one bio of the pair, and this will
> "automagically" appear in the other bio of the bio pair (what's written on
> one side is read from the other, and vice-versa).
>
>
> You can also wrap the SSL-application side in a bio as first mentioned.
>
>
> It's a little tricky if you want to do this asynchronously: writing to
> the BIO fronting the SSL engine can result in output on the BIO of the BIO
> pair backing the SSL engine and/or output on the other side of the BIO
> fronting the SSL engine, and vice versa. This is because the SSL handshake
> takes place independently of the transfer of the data. Of course, it does no
> good to block on a BIO read that is stuck waiting a write on the same BIO
> (or the one on the "other side" of the SSL engine).
>
>
> I'm sure others might be able to explain it better, but it's a technique
> I've used in cases where I can't have SSL "front" a traditional socket.
>
>
>
>
>
> ------------------------------
> *From:* owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org]
> on behalf of Neo Liu [diablo...@gmail.com]
> *Sent:* Tuesday, May 17, 2011 7:33 PM
>
> *To:* openssl-users@openssl.org
> *Subject:* Re: Can openssl support EAP-TLS?
>
>
> On Thu, May 12, 2011 at 10:18 AM, Rene Hollan
> <rene.hol...@watchguard.com>wrote:
>
>> If you're looking to do authentication, freeradius will do EAP, and
>> talk to openssl for the TLS part (and an LDAP server for the actual
>> authentication and authorization).
>> ------------------------------
>>
>>
> FreeRADIUS is too big for me. I just want to utilize OpenSSL to implement a
> EAP-TLS server.
> I want to openssl to handle the tls handshake and data encrypting and
> decryption, but I encapsulate the eap packet in my application.
> Can I use something like BIO pair or BIO mem to meet my need?
>
> Thanks for your great help.
>
>
>
