Re: [Fwd: Re: SSL_renegotiation using non block sockets]
Learning it the HARD way... :))
anyways...
doesn't matter if its 0.9.6 or later it should go non-blocking.
SSL_renegotiate_pending only checks if the handshake is succesfull by verifying
state flag in SSL structure. It doesnt deal with BIOs or TCP Buffers.
SSL_do_handshake enforces the REAL handshake.
Once you are through with Handshake, you may use SSL_read/SSL_write for
application communication.
-Lokesh.
On 6/2/05, Gayathri Sundar [EMAIL PROTECTED] wrote:
Original Message
Subject: Re: SSL_renegotiation using non block sockets
From:[EMAIL PROTECTED]
Date:Thu, June 2, 2005 8:41 pm
--
HI Lokesh.,
Thanks for the response. Actually yesterday I spent close to 3hrs
trying all sorts of things, and finally concluded myself that
renegotiation has to be only on blocking sockets. But I thought that was a
restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify
on this?
The thing is once I call renegotiation/do_handshake encrypted
handshake messages are exchanged by the peers but then, checking the
SSL_renegotiate_pending api in a loop wherein I call that for
FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting
read. So
the Client never tried to establish the next new connection.
Could you pls let me more about the SSL_renegotiate_pending() api? I dont
think it reads/writes data, simply returs with Non-Zero if the
renegotiation is still going on and a One for completion.
The main scenerio is for authentication wherein after a user has
established a valid SSL_Session, and tries to Login into our
application, we want to renegotiate with client certificate for extra
priviledges, what I now see is, the response encrypted handshake msg is
not read by SSL, its there in the TCP RecvQ and I dont know what api to
use so that the server can read that. Will this be solved if it were made
blocking?
Thanks
--Gayathri
HI,
SSL_accept/SSL_connect is something that we use to establish an
initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based
on timers
we install for SSL for re-negotiating KEYs such that hacking the SSL
connection is robust.
Having said that.. I assume you already have an SSL connection established
and
want to implement re-negotiation in your application.
It should go like this
( OPENSSL says for re-negotiation we should make the underlying
transport BLOCKING)
If openssl version is 0.9.7
*
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( ssl-state != SSL_ST_OK)
{
/* you may want to implement timeout here, if you want to */
ssl-state |= SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
IF openssl version 0.9.7
*
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( SSL_renegotiate_pending(ssl))
{
/* you may want to implement timeout here, if you want to */
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
***
set_blocking and set_nonblocking are functions that can be implemented
very easily using fcntl.
HTH,
Lokesh.
On 6/2/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Thanks pj, the code was real helpful.
Just one minor clarification, once a call to SSL_renegotiate is made,
should I check the protocol status by calling SSL_accept (mine is
server) within the while loop you have? I have gone into an
accept_pending state and calling SSL_accept until it returns with a
1..is this correct?
Thanks
--Gayathri
Hi I did the same thing yesterday myself but because I wanted to
implement a
timeout solution as well as quick shutdown of my COM object via object
notification. You might be able to hack my work ... this is what I came
up with... It takes a blocking socket, makes it un-blocking...
negotiates with timeout and signalling considerations and then passes
back normal error codes...
// SSLConnectWithTimeout, connect to a remote server with timeout int
CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
//-
// Set the socket I/O mode: In this case FIONBIO
// enables or disables the blocking mode for the
// socket based on the numerical value of iMode.
// If iMode = 0, blocking is enabled;
// If iMode != 0, non-blocking mode is enabled.
int iMode = 1;
LogInformation2(Running SSL non-blocking connection timeout = %ld,
timeout);
if (timeout) {
[Fwd: Re: SSL_renegotiation using non block sockets]
Original Message
Subject: Re: SSL_renegotiation using non block sockets
From:[EMAIL PROTECTED]
Date:Thu, June 2, 2005 8:41 pm
--
HI Lokesh.,
Thanks for the response. Actually yesterday I spent close to 3hrs
trying all sorts of things, and finally concluded myself that
renegotiation has to be only on blocking sockets. But I thought that was a
restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify
on this?
The thing is once I call renegotiation/do_handshake encrypted
handshake messages are exchanged by the peers but then, checking the
SSL_renegotiate_pending api in a loop wherein I call that for
FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting
read. So
the Client never tried to establish the next new connection.
Could you pls let me more about the SSL_renegotiate_pending() api? I dont
think it reads/writes data, simply returs with Non-Zero if the
renegotiation is still going on and a One for completion.
The main scenerio is for authentication wherein after a user has
established a valid SSL_Session, and tries to Login into our
application, we want to renegotiate with client certificate for extra
priviledges, what I now see is, the response encrypted handshake msg is
not read by SSL, its there in the TCP RecvQ and I dont know what api to
use so that the server can read that. Will this be solved if it were made
blocking?
Thanks
--Gayathri
HI,
SSL_accept/SSL_connect is something that we use to establish an
initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based
on timers
we install for SSL for re-negotiating KEYs such that hacking the SSL
connection is robust.
Having said that.. I assume you already have an SSL connection established
and
want to implement re-negotiation in your application.
It should go like this
( OPENSSL says for re-negotiation we should make the underlying
transport BLOCKING)
If openssl version is 0.9.7
*
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( ssl-state != SSL_ST_OK)
{
/* you may want to implement timeout here, if you want to */
ssl-state |= SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
IF openssl version 0.9.7
*
SSL *ssl;
int fd;
fd = SSL_get_fd(ssl);
set_blocking(fd);
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
while( SSL_renegotiate_pending(ssl))
{
/* you may want to implement timeout here, if you want to */
SSL_do_handshake(ssl);
}
set_nonblocking(fd);
return SUCCESS;
***
set_blocking and set_nonblocking are functions that can be implemented
very easily using fcntl.
HTH,
Lokesh.
On 6/2/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Thanks pj, the code was real helpful.
Just one minor clarification, once a call to SSL_renegotiate is made,
should I check the protocol status by calling SSL_accept (mine is
server) within the while loop you have? I have gone into an
accept_pending state and calling SSL_accept until it returns with a
1..is this correct?
Thanks
--Gayathri
Hi I did the same thing yesterday myself but because I wanted to
implement a
timeout solution as well as quick shutdown of my COM object via object
notification. You might be able to hack my work ... this is what I came
up with... It takes a blocking socket, makes it un-blocking...
negotiates with timeout and signalling considerations and then passes
back normal error codes...
// SSLConnectWithTimeout, connect to a remote server with timeout int
CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
//-
// Set the socket I/O mode: In this case FIONBIO
// enables or disables the blocking mode for the
// socket based on the numerical value of iMode.
// If iMode = 0, blocking is enabled;
// If iMode != 0, non-blocking mode is enabled.
int iMode = 1;
LogInformation2(Running SSL non-blocking connection timeout = %ld,
timeout);
if (timeout) {
// establish non- blocking mode to enable us to time out.
ioctlsocket(s, FIONBIO, (u_long FAR*) iMode);
}
// make the connection attempt
int nRet = SSL_connect(ssl);
// if we are using a timeout then ...
if (timeout) {
// convert nRet to a real error if necessary
if (nRet != 1)
nRet = SSL_get_error(ssl, nRet);
LogInformation2(connect run return value %d., nRet);
LogInformation1(Starting SSL polling loop);
// get the start time
DWORD starttime
