[Fwd: Re: SSL_renegotiation using non block sockets]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Fwd: Re: SSL_renegotiation using non block sockets]

Gayathri Sundar-2
---------------------------- Original Message ----------------------------
Subject: Re: SSL_renegotiation using non block sockets
From:    [hidden email]
Date:    Thu, June 2, 2005 8:41 pm
--------------------------------------------------------------------------

HI Lokesh.,

Thanks for the response. Actually yesterday I spent close to 3hrs
trying all sorts of things, and finally concluded myself that
renegotiation has to be only on blocking sockets. But I thought that was a
restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify
on this?

The thing is once I call renegotiation/do_handshake encrypted
handshake messages are exchanged by the peers but then, checking the
SSL_renegotiate_pending api in a loop wherein I call that for
FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting
read. So
the Client never tried to establish the next new connection.
Could you pls let me more about the SSL_renegotiate_pending() api? I dont
think  it reads/writes data, simply returs with Non-Zero if the
renegotiation is still going on and a One for completion.

The main scenerio is for "authentication" wherein after a user has
established a valid SSL_Session, and tries to "Login" into our
application, we want to renegotiate with "client certificate" for extra
priviledges, what I now see is, the response "encrypted handshake msg" is
not read by SSL, its there in the TCP "RecvQ" and I dont know what api to
use so that the server can read that. Will this be solved if it were made
blocking?

Thanks
--Gayathri


HI,

SSL_accept/SSL_connect is something that we use to establish an
initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based
on timers
we install for SSL for re-negotiating KEYs such that hacking the SSL
connection is robust.

Having said that.. I assume you already have an SSL connection established
and
want to implement re-negotiation in your application.

It should go like this....
( OPENSSL says for re-negotiation we should make the underlying
transport BLOCKING)

If openssl version is  < 0.9.7
*************************************
SSL *ssl;
int fd;

fd = SSL_get_fd(ssl);

set_blocking(fd);

SSL_renegotiate(ssl);

SSL_do_handshake(ssl);

while( ssl->state != SSL_ST_OK)
{
       /* you may want to implement timeout here, if you want to */

         ssl->state |= SSL_ST_ACCEPT;
         SSL_do_handshake(ssl);
}

set_nonblocking(fd);

return SUCCESS;
****************************************************

IF openssl version > 0.9.7
*****************************************************
SSL *ssl;
int fd;

fd = SSL_get_fd(ssl);

set_blocking(fd);

SSL_renegotiate(ssl);

SSL_do_handshake(ssl);

while( SSL_renegotiate_pending(ssl))
{
       /* you may want to implement timeout here, if you want to */

        SSL_do_handshake(ssl);
}

set_nonblocking(fd);

return SUCCESS;
***************************************************************

set_blocking and set_nonblocking are functions that can be implemented
very easily using fcntl.

HTH,
Lokesh.


On 6/2/05, [hidden email] <[hidden email]> wrote:
> Thanks pj, the code was real helpful.
>
> Just one minor clarification, once a call to SSL_renegotiate is made,
should I check the protocol status by calling SSL_accept (mine is
server) within the while loop you have? I have gone into an
"accept_pending" state and calling SSL_accept until it returns with a
1..is this correct?
>
> Thanks
> --Gayathri
>
> Hi I did the same thing yesterday myself but because I wanted to
implement a
> timeout solution as well as quick shutdown of my COM object via object
notification.  You might be able to hack my work ... this is what I came
up with... It takes a blocking socket, makes it un-blocking...
negotiates with timeout and signalling considerations and then passes
back normal error codes...
>
>
>
> // SSLConnectWithTimeout, connect to a remote server with timeout int
CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {

>        //-------------------------
>        // Set the socket I/O mode: In this case FIONBIO
>        // enables or disables the blocking mode for the
>        // socket based on the numerical value of iMode.
>        // If iMode = 0, blocking is enabled;
>        // If iMode != 0, non-blocking mode is enabled.
>        int iMode = 1;
>
>        LogInformation2("Running SSL non-blocking connection timeout = %ld",
> timeout);
>        if (timeout) {
>                // establish non- blocking mode to enable us to time out.
ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);

>        }
>
>        // make the connection attempt
>
>        int nRet = SSL_connect(ssl);
>
>        // if we are using a timeout then ...
>        if (timeout) {
>                // convert nRet to a real error if necessary
>                if (nRet != 1)
>                        nRet = SSL_get_error(ssl, nRet);
>
>                LogInformation2("connect run return value %d.", nRet);
LogInformation1("Starting SSL polling loop");
>                // get the start time
>                DWORD starttime = timeGetTime();
>                while ((nRet==SSL_ERROR_WANT_READ ||
> nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {
>
>                        // Back off to let the connection happen.
//Sleep(50);

>                        // reiterate the connection
>                        nRet = SSL_connect(ssl);
>                        if (nRet != 1)
>                                nRet = SSL_get_error(ssl, nRet);
>
>                        // check for timeout
>                        if ((timeGetTime() - starttime >= timeout) ||
> m_signalled) {
>                                // return an error
>                                nRet = -1;
>                                break;
>                        }
>                }
>                LogInformation2("Finished polling loop signalled? %d",
> m_signalled);
>                // if we made it to here with nRet = 1 we are SSL
connected if (nRet == 1) {

>                        LogInformation2("Successful connection made!
> returning %d.", nRet);
>                        // turn off non-blocking mode, back to blocking mode
> for the rest
>                        // of the connection
>                        iMode = 0;
>                        ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
>                }
>                else {
>                        // just a log the error, remember logging disappears
> when compiled
>                        // without LOG_BUILD defined.
>                        LogInformation2("Timeout occurred returning %d.",
> nRet);
>                }
>        }
>        // return connection state.
>        return nRet;
> }
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, 2 June 2005 2:14 PM

> To: [hidden email]
> Subject: SSL_renegotiation using non block sockets
>
> Hi,
>
> I am using Non Blocking sockets, and would like to
> know the behaviour wrt SSL_renegotiation.
> Once I make a call to do_handshake, as the FD is non
> blocking it will return immediately with a success,
> but from the application's point of view how will it come
> to know that the renegotiation in thro' so that it can
> call SSL_write/SSL_read? Should the application poll on that
> do_handshake flag within the ssl control block?
>
> Any suggestion/help appreciated a lot.
>
> Thanks
> --Gayathri
> ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
>
>
> ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: SSL_renegotiation using non block sockets]

Lokesh Kumar
Learning it the HARD way... :))

anyways...
doesn't matter if its 0.9.6 or later it should go non-blocking.

SSL_renegotiate_pending only checks if the handshake is succesfull by verifying
state flag in SSL structure. It doesnt deal with BIOs or TCP Buffers.

SSL_do_handshake enforces the REAL handshake.

Once you are through with Handshake, you may use SSL_read/SSL_write for
application communication.

-Lokesh.


On 6/2/05, Gayathri Sundar <[hidden email]> wrote:

> ---------------------------- Original Message ----------------------------
> Subject: Re: SSL_renegotiation using non block sockets
> From:    [hidden email]
> Date:    Thu, June 2, 2005 8:41 pm
> --------------------------------------------------------------------------
>
> HI Lokesh.,
>
> Thanks for the response. Actually yesterday I spent close to 3hrs
> trying all sorts of things, and finally concluded myself that
> renegotiation has to be only on blocking sockets. But I thought that was a
> restriction on openssl 0.9.6. I am using 0.9.7. could someone pls clarify
> on this?
>
> The thing is once I call renegotiation/do_handshake encrypted
> handshake messages are exchanged by the peers but then, checking the
> SSL_renegotiate_pending api in a loop wherein I call that for
> FD_WRITE_POLL noticed that pkts in the TCP RecvQ were just not getting
> read. So
> the Client never tried to establish the next new connection.
> Could you pls let me more about the SSL_renegotiate_pending() api? I dont
> think  it reads/writes data, simply returs with Non-Zero if the
> renegotiation is still going on and a One for completion.
>
> The main scenerio is for "authentication" wherein after a user has
> established a valid SSL_Session, and tries to "Login" into our
> application, we want to renegotiate with "client certificate" for extra
> priviledges, what I now see is, the response "encrypted handshake msg" is
> not read by SSL, its there in the TCP "RecvQ" and I dont know what api to
> use so that the server can read that. Will this be solved if it were made
> blocking?
>
> Thanks
> --Gayathri
>
>
> HI,
>
> SSL_accept/SSL_connect is something that we use to establish an
> initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based
> on timers
> we install for SSL for re-negotiating KEYs such that hacking the SSL
> connection is robust.
>
> Having said that.. I assume you already have an SSL connection established
> and
> want to implement re-negotiation in your application.
>
> It should go like this....
> ( OPENSSL says for re-negotiation we should make the underlying
> transport BLOCKING)
>
> If openssl version is  < 0.9.7
> *************************************
> SSL *ssl;
> int fd;
>
> fd = SSL_get_fd(ssl);
>
> set_blocking(fd);
>
> SSL_renegotiate(ssl);
>
> SSL_do_handshake(ssl);
>
> while( ssl->state != SSL_ST_OK)
> {
>       /* you may want to implement timeout here, if you want to */
>
>         ssl->state |= SSL_ST_ACCEPT;
>         SSL_do_handshake(ssl);
> }
>
> set_nonblocking(fd);
>
> return SUCCESS;
> ****************************************************
>
> IF openssl version > 0.9.7
> *****************************************************
> SSL *ssl;
> int fd;
>
> fd = SSL_get_fd(ssl);
>
> set_blocking(fd);
>
> SSL_renegotiate(ssl);
>
> SSL_do_handshake(ssl);
>
> while( SSL_renegotiate_pending(ssl))
> {
>       /* you may want to implement timeout here, if you want to */
>
>        SSL_do_handshake(ssl);
> }
>
> set_nonblocking(fd);
>
> return SUCCESS;
> ***************************************************************
>
> set_blocking and set_nonblocking are functions that can be implemented
> very easily using fcntl.
>
> HTH,
> Lokesh.
>
>
> On 6/2/05, [hidden email] <[hidden email]> wrote:
> > Thanks pj, the code was real helpful.
> >
> > Just one minor clarification, once a call to SSL_renegotiate is made,
> should I check the protocol status by calling SSL_accept (mine is
> server) within the while loop you have? I have gone into an
> "accept_pending" state and calling SSL_accept until it returns with a
> 1..is this correct?
> >
> > Thanks
> > --Gayathri
> >
> > Hi I did the same thing yesterday myself but because I wanted to
> implement a
> > timeout solution as well as quick shutdown of my COM object via object
> notification.  You might be able to hack my work ... this is what I came
> up with... It takes a blocking socket, makes it un-blocking...
> negotiates with timeout and signalling considerations and then passes
> back normal error codes...
> >
> >
> >
> > // SSLConnectWithTimeout, connect to a remote server with timeout int
> CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
> >        //-------------------------
> >        // Set the socket I/O mode: In this case FIONBIO
> >        // enables or disables the blocking mode for the
> >        // socket based on the numerical value of iMode.
> >        // If iMode = 0, blocking is enabled;
> >        // If iMode != 0, non-blocking mode is enabled.
> >        int iMode = 1;
> >
> >        LogInformation2("Running SSL non-blocking connection timeout = %ld",
> > timeout);
> >        if (timeout) {
> >                // establish non- blocking mode to enable us to time out.
> ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
> >        }
> >
> >        // make the connection attempt
> >
> >        int nRet = SSL_connect(ssl);
> >
> >        // if we are using a timeout then ...
> >        if (timeout) {
> >                // convert nRet to a real error if necessary
> >                if (nRet != 1)
> >                        nRet = SSL_get_error(ssl, nRet);
> >
> >                LogInformation2("connect run return value %d.", nRet);
> LogInformation1("Starting SSL polling loop");
> >                // get the start time
> >                DWORD starttime = timeGetTime();
> >                while ((nRet==SSL_ERROR_WANT_READ ||
> > nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {
> >
> >                        // Back off to let the connection happen.
> //Sleep(50);
> >                        // reiterate the connection
> >                        nRet = SSL_connect(ssl);
> >                        if (nRet != 1)
> >                                nRet = SSL_get_error(ssl, nRet);
> >
> >                        // check for timeout
> >                        if ((timeGetTime() - starttime >= timeout) ||
> > m_signalled) {
> >                                // return an error
> >                                nRet = -1;
> >                                break;
> >                        }
> >                }
> >                LogInformation2("Finished polling loop signalled? %d",
> > m_signalled);
> >                // if we made it to here with nRet = 1 we are SSL
> connected if (nRet == 1) {
> >                        LogInformation2("Successful connection made!
> > returning %d.", nRet);
> >                        // turn off non-blocking mode, back to blocking mode
> > for the rest
> >                        // of the connection
> >                        iMode = 0;
> >                        ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
> >                }
> >                else {
> >                        // just a log the error, remember logging disappears
> > when compiled
> >                        // without LOG_BUILD defined.
> >                        LogInformation2("Timeout occurred returning %d.",
> > nRet);
> >                }
> >        }
> >        // return connection state.
> >        return nRet;
> > }
> >
> > -----Original Message-----
> > From: [hidden email]
> > [mailto:[hidden email]] On Behalf Of [hidden email]
> Sent: Thursday, 2 June 2005 2:14 PM
> > To: [hidden email]
> > Subject: SSL_renegotiation using non block sockets
> >
> > Hi,
> >
> > I am using Non Blocking sockets, and would like to
> > know the behaviour wrt SSL_renegotiation.
> > Once I make a call to do_handshake, as the FD is non
> > blocking it will return immediately with a success,
> > but from the application's point of view how will it come
> > to know that the renegotiation in thro' so that it can
> > call SSL_write/SSL_read? Should the application poll on that
> > do_handshake flag within the ssl control block?
> >
> > Any suggestion/help appreciated a lot.
> >
> > Thanks
> > --Gayathri
> > ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
> >
> >
> > ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
> >
> >
> > ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
> >
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]