>From: [email protected] On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 19:37
>Following is the code I used at server side program.
>while (1) {
> SSL *ssl = SSL_new(ctx);
> SSL_set_fd(ssl, clientserver[1]);
> if (SSL_accept(ssl) != 1)
> break;
> result.handshakes++;
> SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN);
> SSL_free(ssl);
> }
I presume there's some synchronization, not shown,
so the SSL_accept (and remainder) only executes once
a socket connection from the/a client exists. If this
is a single loop as shown and not threaded, you are
including network transmission/latency in your
measurement. Unless you care about performance wrt
a single client that does one connection at a time,
this gives inaccurate results; most servers accept
multiple connections usually from multiple clients
concurrently and can overlap computation with I/O.
>This is the server loop I used to handle the requests from the client.
>Where ctx is configures ad follows:
>SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_client_certificate);
>/* Set the verification depth */
>SSL_CTX_set_verify_depth(ctx, VERIFICATION_DEPTH);
>I had to also include following code:
>int verify_client_certificate(int ok, X509_STORE_CTX* store) {
<snip>
To be exact, you must have a function with that parameter types
and return type. Its *content* can vary if appropriate.
I presume you are also setting the cert/privatekey and
truststore (usually CAfile and/or CApath); without the
former in the server no authenticated suite can proceed,
and without the latter in the server if the client does
auth (i.e. supplies a cert) OpenSSL can't verify and every
SSL_accept (with the verify callback shown) should fail.
>To clarify,
>1. server does uses Openssl.
>2. Full handshakes are done.
We don't know that from the code shown. SSL_accept can do
either a full or abbreviated handshake; so can SSL_connect.
>3. SSL object is created and [freed] for each handshake.
>Therefore, ideally, session should not be cached. Since I
>am trying to create a new ssl object. There is similar counter
>code at client side. Do you see my conclusions right?
Session caching is done at the SSL_CTX level, not the SSL level,
so using new SSL objects doesn't prevent caching. And OpenSSL's
default for server caching is on. However, if your client also
uses OpenSSL in a similar way, that defaults to off, and if so
full handshakes are indeed occurring.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
