SSL Communication using BIO

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

SSL Communication using BIO

harshvir
Hi,
   Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called.
   Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google.

   Thanks.

// Harshvir

Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Stokestack
On Sun, May 22, 2011 at 5:10 PM, Harshvir Sidhu <[hidden email]> wrote:
   Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google.


Here's some:

http://www.opensc.ws/tutorials-articles/12761-rsa-encryption-using-openssl-c-c.html
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
Thanks GS.
But i am more interested in the sample code in which BIO pair is used for socket communication along with Certificate Exchange.
In the current code, i am creating CTX as usual, then using BIO to do connect, and handshake. but that is not working.

// Harshvir

On Sun, May 22, 2011 at 7:21 PM, G S <[hidden email]> wrote:
On Sun, May 22, 2011 at 5:10 PM, Harshvir Sidhu <[hidden email]> wrote:
   Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google.


Here's some:

http://www.opensc.ws/tutorials-articles/12761-rsa-encryption-using-openssl-c-c.html

Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Stokestack
Ah, yes, I realized later that there wasn't any communication info in there.  I only use it for encryption.

Good luck!
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Neo Liu-2
BIO pair is non-blocking BIO, so you need to call SSL_accept() or SSL_do_handshake() for server times.
The example code looks like follows:

BIO_write(ebio, ...)
SSL_accept(ssl)
BIO_read(ebio, ...)

you can use BIO_pending() and BIO_wpending() to watch the buffer status of the BIO pairs.

On Mon, May 23, 2011 at 9:18 AM, G S <[hidden email]> wrote:
Ah, yes, I realized later that there wasn't any communication info in there.  I only use it for encryption.

Good luck!

Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

JoelKatz
In reply to this post by harshvir
On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:

>     Previously I have used SSL_XXX functions for performing SSL
> operations. Now i have am working on an application which is written in
> Managed C++ using callback functions(BeginReceive and EndReceive), and
> SSL_Read function is not working for that. So i tried using BIO_
> functions to create a bio pair for internal and network bio and then
> using them to encrypt/decrypt data before sending using normal socket,
> but when i try to use that my handshake is not getting completed, i do
> not see any error on s_server, but it dont seem to work when i try to
> enter something on server side, my callback dont get called.
>     Can someone point me to some example code for this in which BIO is
> used to encrypt and decrypt data and then using normal sockets for
> send/receive? I am not able to find anything in openssl source exmple or
> on google.

You are thinking about the problem wrong. You are thinking "I need to
send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I
need to get that encrypted data from OpenSSL and write it to the socket.
Then, the other end will reply, so I need to read some encrypted data
from the socket, give it to OpenSSL, and then OpenSSL will decrypt it
and give it to me." This attempt to "look through" the OpenSSL engine
will produce broken code and pain.

Instead, treat the OpenSSL engine as a black box whose internals are
wholly unknown to you. If you receive some data from the socket, give it
to OpenSSL. If OpenSSL wants to send some data on the socket, send it.
If you want to send some data to the other side, give it to OpenSSL. If
OpenSSL has some plaintext for you, take it and process it. But make no
assumptions about the sequence or interactions between these things.

For example, a typical mistake is to wait for data to be received on the
socket before calling SSL_Read. This is completely broken behavior. Data
received on the socket is encrypted. Data received from SSL_Read is
decrypted. These are two distinct streams that, as far as your
application should be concerned, are totally unrelated. (Except when
SSL_Read specifically returns a WANT_READ, of course, and then only
until some other event invalidates the WANT_READ indication.)

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Gayathri Sundar-3
In reply to this post by Neo Liu-2
as Neo Liu has pointed out, if you try to use memory bio pair for communcation, then its ur responsibility to read and write every byte
out the fd using tcp_send and recv() calls, as openssl would only read and write into the bio. This approach is very very tedious and not sure if thats the only way to solve ur problem.
 
thanks
--Gayathri
On Sun, May 22, 2011 at 9:01 PM, Neo Liu <[hidden email]> wrote:
BIO pair is non-blocking BIO, so you need to call SSL_accept() or SSL_do_handshake() for server times.
The example code looks like follows:

BIO_write(ebio, ...)
SSL_accept(ssl)
BIO_read(ebio, ...)

you can use BIO_pending() and BIO_wpending() to watch the buffer status of the BIO pairs.


On Mon, May 23, 2011 at 9:18 AM, G S <[hidden email]> wrote:
Ah, yes, I realized later that there wasn't any communication info in there.  I only use it for encryption.

Good luck!


Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
In reply to this post by JoelKatz
David,
   So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.

// Harshvir

On Sun, May 22, 2011 at 10:06 PM, David Schwartz <[hidden email]> wrote:
On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:

   Previously I have used SSL_XXX functions for performing SSL
operations. Now i have am working on an application which is written in
Managed C++ using callback functions(BeginReceive and EndReceive), and
SSL_Read function is not working for that. So i tried using BIO_
functions to create a bio pair for internal and network bio and then
using them to encrypt/decrypt data before sending using normal socket,
but when i try to use that my handshake is not getting completed, i do
not see any error on s_server, but it dont seem to work when i try to
enter something on server side, my callback dont get called.
   Can someone point me to some example code for this in which BIO is
used to encrypt and decrypt data and then using normal sockets for
send/receive? I am not able to find anything in openssl source exmple or
on google.

You are thinking about the problem wrong. You are thinking "I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me." This attempt to "look through" the OpenSSL engine will produce broken code and pain.

Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things.

For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.)

DS


Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
Anyone any comments on this. Is openssl appropriate choice for my case?

// Harshvir

On Mon, May 23, 2011 at 3:59 AM, Harshvir Sidhu <[hidden email]> wrote:
David,
   So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.

// Harshvir


On Sun, May 22, 2011 at 10:06 PM, David Schwartz <[hidden email]> wrote:
On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:

   Previously I have used SSL_XXX functions for performing SSL
operations. Now i have am working on an application which is written in
Managed C++ using callback functions(BeginReceive and EndReceive), and
SSL_Read function is not working for that. So i tried using BIO_
functions to create a bio pair for internal and network bio and then
using them to encrypt/decrypt data before sending using normal socket,
but when i try to use that my handshake is not getting completed, i do
not see any error on s_server, but it dont seem to work when i try to
enter something on server side, my callback dont get called.
   Can someone point me to some example code for this in which BIO is
used to encrypt and decrypt data and then using normal sockets for
send/receive? I am not able to find anything in openssl source exmple or
on google.

You are thinking about the problem wrong. You are thinking "I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me." This attempt to "look through" the OpenSSL engine will produce broken code and pain.

Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things.

For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.)

DS



Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

John R Pierce
In reply to this post by harshvir
On 05/23/11 1:59 AM, Harshvir Sidhu wrote:
>    So are you suggesting that i change the approach in my Code. My
> application is for Windows and in Managed C++. In that i am using
> Callback function for receive, when the callback function is called,
> and when i call SSL_read in that, it hangs at recv call in the OpenSSL
> code, my assumption is that data was already read from socket, when
> callback was called. Another thing i would like to mention is I am
> using Sockets Managed Class, not the native sockets.

if you are working in Windows "Managed" space, why not use the Windows
native SSL functionality?  I believe thats provided by SSPI and its
Schannel support.
http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx 
<http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx>
http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx 
<http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx>

--
john r pierce                            N 37, W 123
santa cruz ca                         mid-left coast

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
I have discussed that with my team, we only have to use OpenSSL, SSAPI has been ruled out for our work.

// Harshvir

On Mon, May 23, 2011 at 3:56 PM, John R Pierce <[hidden email]> wrote:
On 05/23/11 1:59 AM, Harshvir Sidhu wrote:
  So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.

if you are working in Windows "Managed" space, why not use the Windows native SSL functionality?  I believe thats provided by SSPI and its Schannel support.
http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx <http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx>
http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx <http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx>

--
john r pierce                            N 37, W 123
santa cruz ca                         mid-left coast

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Wim Lewis-3
In reply to this post by harshvir

On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote:
> Anyone any comments on this. Is openssl appropriate choice for my case?

As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets class).

An example of using OpenSSL in this way is in demos/state_machine/state_machine.c in the OpenSSL distribution. As David Schwartz says, the important thing is not to assume that reads and writes of your data correspond directly to reads and writes on the socket. SSL may need to perform multiple reads and writes before you see any data (for example, during a handshake or renegotiation).

state_machine.c uses memory BIOs to buffer data going in and out of SSL. I think a better way to do it in current versions of OpenSSL is to make your own, nonblocking BIO which calls into your C# code as needed. But I could be wrong.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Eric S. Eberhard-2
In reply to this post by harshvir
You might also consider using stunnel which works perfectly and is
easy to use in many cases and unless your volume is silly-high has
plenty of performance to run in inetd mode which is very
reliable.  stunnel is based on openssl.  It also makes your app
independent of SSL changes which I like.  Eric

At 03:47 PM 5/23/2011, Wim Lewis wrote:

>On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote:
> > Anyone any comments on this. Is openssl appropriate choice for my case?
>
>As I understand it you want OpenSSL to handle the protocol and
>encryption, but you don't want OpenSSL to do any network I/O itself:
>you want to do that (via the C# sockets class).
>
>An example of using OpenSSL in this way is in
>demos/state_machine/state_machine.c in the OpenSSL distribution. As
>David Schwartz says, the important thing is not to assume that reads
>and writes of your data correspond directly to reads and writes on
>the socket. SSL may need to perform multiple reads and writes before
>you see any data (for example, during a handshake or renegotiation).
>
>state_machine.c uses memory BIOs to buffer data going in and out of
>SSL. I think a better way to do it in current versions of OpenSSL is
>to make your own, nonblocking BIO which calls into your C# code as
>needed. But I could be wrong.
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Neo Liu-2
In reply to this post by harshvir
I think you can read this article and it will be help.
http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html

On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu <[hidden email]> wrote:
David,
   So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.





Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Gayathri Sundar-3
actually I would seriously recommend you read the OpenSSL book written by Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync usages..so that you get an idea of how OpenSSL itself works.

On Mon, May 23, 2011 at 6:02 PM, Neo Liu <[hidden email]> wrote:
I think you can read this article and it will be help.
http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html

On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu <[hidden email]> wrote:
David,
   So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.






Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Eric S. Eberhard-2
In reply to this post by Neo Liu-2
or ... keep it simple and at least consider using stunnel.  I have a
LOT of applications using openssl, 3/4 I just use stunnel and forget
about it.  For a few when I need to do crazy things, I code and link
in to my application.  But you can save a lot of trouble with
stunnel, at least as a first step (proof of concept).  BTW, I also
use the Windows version which you can download with an installer and
it works great as well. E


At 04:12 PM 5/23/2011, Gayathri Sundar wrote:

>actually I would seriously recommend you read the OpenSSL book
>written by Eric Rescorla, it discusses all the use cases of openssl,
>BIO, async/sync usages..so that you get an idea of how OpenSSL itself works.
>
>On Mon, May 23, 2011 at 6:02 PM, Neo Liu
><<mailto:[hidden email]>[hidden email]> wrote:
>I think you can read this article and it will be help.
><http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html>http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html
>
>On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu
><<mailto:[hidden email]>[hidden email]> wrote:
>David,
>    So are you suggesting that i change the approach in my Code. My
> application is for Windows and in Managed C++. In that i am using
> Callback function for receive, when the callback function is
> called, and when i call SSL_read in that, it hangs at recv call in
> the OpenSSL code, my assumption is that data was already read from
> socket, when callback was called. Another thing i would like to
> mention is I am using Sockets Managed Class, not the native sockets.
>
>
>
>
>


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

JoelKatz
In reply to this post by harshvir
On 5/23/2011 1:59 AM, Harshvir Sidhu wrote:
> David,
>     So are you suggesting that i change the approach in my Code.

Hard for me to give you a useful answer without seeing your code. If
your code tries to treat OpenSSL as a filter, expecting input and output
to correlate, then yes. If your code handled OpenSSL as a black box with
four separate I/O paths (encrypted data in, encryped data out, plaintext
in, plaintext out) without assuming any relationship between them, then
it's fine.

 > My
> application is for Windows and in Managed C++. In that i am using
> Callback function for receive, when the callback function is called, and
> when i call SSL_read in that, it hangs at recv call in the OpenSSL code,
> my assumption is that data was already read from socket, when callback
> was called. Another thing i would like to mention is I am using Sockets
> Managed Class, not the native sockets.

When your callback function is called, that means encrypted data is
available on the socket. The SSL_Read function is for reading
unencrypted data from the SSL engine. It is only appropriate to call
SSL_Read in response to a data available callback on the socket in one
case -- if your last SSL operation was an SSL_Read and it returned a
WANT_READ indication. In any other case, this is broken behavior
reflecting erroneously trying to "look through" the SSL engine.

Your code must treat the SSL engine as a black box. Yes, we happen to
know that *IN* *GENERAL* we're reading encrypted data from the socket,
decrypting it, and then passing the plaintext to the application, your
code should treat this as an OpenSSL internal detail and should not
pretend it knows that this will happen.

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Michael Ströder
In reply to this post by Eric S. Eberhard-2
Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.

I use stunnel myself in some situations. It's a great tool.

But bear in mind that the application then has no access to authentication
information of the SSL layer.

Ciao, Michael.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
Hi,
   I am trying to implement State Machine based on the demo application, that is a server code.
   Like i am writting the client side.
   So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error.
 
180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
   My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only.
 
Thanks.
 
// Harshvir
 
2011/5/25 Michael Ströder <[hidden email]>
Eric S. Eberhard wrote:
or ... keep it simple and at least consider using stunnel.

I use stunnel myself in some situations. It's a great tool.

But bear in mind that the application then has no access to authentication information of the SSL layer.

Ciao, Michael.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Gayathri Sundar-3
So finally u have agreed to my initial suggestion of state machines :)

The basic steps in terms of am algorithm are as follows

A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and complete the tcp handshake
D.  Once tcp connect is done, u have an fd on which u receive and send data
E. Initialize ur state machine for ssl connect pending
F.  Take the buffer to be sent, copy it to the memory write bio,
encrypt it using ssl connect, then do a tcp send
G. While still connect pending, do tcp read, copy to read bio, call
ssl connect to decrypt.

Thanks
--Gayathri

On Wednesday, May 25, 2011, Harshvir Sidhu <[hidden email]> wrote:

> Hi,
>    I am trying to implement State Machine based on the demo application, that is a server code.
>    Like i am writting the client side.
>    So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error.
>
> 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>
>    My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only.
>
>
> Thanks.
>
> // Harshvir
>
> 2011/5/25 Michael Ströder <[hidden email]>
>
> Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication information of the SSL layer.
>
> Ciao, Michael.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org <http://www.openssl.org/>
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
12