SSL Communication using BIO

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
Thanks Gayatri.
This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side.
What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, "unknown protocol"
Thanks.
 
// Harshvir
On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar <[hidden email]> wrote:
So finally u have agreed to my initial suggestion of state machines :)

The basic steps in terms of am algorithm are as follows

A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and complete the tcp handshake
D.  Once tcp connect is done, u have an fd on which u receive and send data
E. Initialize ur state machine for ssl connect pending
F.  Take the buffer to be sent, copy it to the memory write bio,
encrypt it using ssl connect, then do a tcp send
G. While still connect pending, do tcp read, copy to read bio, call
ssl connect to decrypt.

Thanks
--Gayathri

On Wednesday, May 25, 2011, Harshvir Sidhu <[hidden email]> wrote:
> Hi,
>    I am trying to implement State Machine based on the demo application, that is a server code.
>    Like i am writting the client side.
>    So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error.
>
> 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>
>    My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only.
>
>
> Thanks.
>
> // Harshvir
>
> 2011/5/25 Michael Ströder <[hidden email]>
>
> Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication information of the SSL layer.
>
> Ciao, Michael.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org <http://www.openssl.org/>
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
Just to clarify my last message, I am using state machine, i called SSL_connect after creating ctx and ssl objs, 2 mem bios and set them to ssl, and then read data from bio, and sent that to server and that gave me error.

On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu <[hidden email]> wrote:
Thanks Gayatri.
This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side.
What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, "unknown protocol"
Thanks.
 
// Harshvir
On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar <[hidden email]> wrote:
So finally u have agreed to my initial suggestion of state machines :)

The basic steps in terms of am algorithm are as follows

A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and complete the tcp handshake
D.  Once tcp connect is done, u have an fd on which u receive and send data
E. Initialize ur state machine for ssl connect pending
F.  Take the buffer to be sent, copy it to the memory write bio,
encrypt it using ssl connect, then do a tcp send
G. While still connect pending, do tcp read, copy to read bio, call
ssl connect to decrypt.

Thanks
--Gayathri

On Wednesday, May 25, 2011, Harshvir Sidhu <[hidden email]> wrote:
> Hi,
>    I am trying to implement State Machine based on the demo application, that is a server code.
>    Like i am writting the client side.
>    So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error.
>
> 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>
>    My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only.
>
>
> Thanks.
>
> // Harshvir
>
> 2011/5/25 Michael Ströder <[hidden email]>
>
> Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication information of the SSL layer.
>
> Ciao, Michael.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org <http://www.openssl.org/>
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

Gayathri Sundar-3
In reply to this post by harshvir
Okay, u r writing the client, so you need to do connect, now ssl_connect is going to do the complete SSL handshake, which involves multiple read and writes, now since you are using memory bios, ssl connect is going to read from the r_membio and write into the w_membio. The data has to go out the tcp fd you have created and connected with the server. So its ur duty to take data out the w_membio and do a tcp_send(). That is what I meant by saying "write". Application data transfer may be initiated by your server once the ssl connect is thro. There are apis which tell if ssl connect is completed and ssl connect itself will return ssl_success, until then u will be getting the want_read and want_write error codes, so your state machine would be in the "connect pending" state until ssl connect returns success. Please understand that SSL_Connect itself will be called multiple times in the asyn architecture. 

BTW if the protocol nego has failed, perhaps you need to see what the server supports, maybe it understands only tls and not sslv3 etc.

thanks
--Gayathri

On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu <[hidden email]> wrote:
Thanks Gayatri.
This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side.
What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, "unknown protocol"
Thanks.
 
// Harshvir
On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar <[hidden email]> wrote:
So finally u have agreed to my initial suggestion of state machines :)

The basic steps in terms of am algorithm are as follows

A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and complete the tcp handshake
D.  Once tcp connect is done, u have an fd on which u receive and send data
E. Initialize ur state machine for ssl connect pending
F.  Take the buffer to be sent, copy it to the memory write bio,
encrypt it using ssl connect, then do a tcp send
G. While still connect pending, do tcp read, copy to read bio, call
ssl connect to decrypt.

Thanks
--Gayathri

On Wednesday, May 25, 2011, Harshvir Sidhu <[hidden email]> wrote:
> Hi,
>    I am trying to implement State Machine based on the demo application, that is a server code.
>    Like i am writting the client side.
>    So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error.
>
> 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>
>    My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only.
>
>
> Thanks.
>
> // Harshvir
>
> 2011/5/25 Michael Ströder <[hidden email]>
>
> Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication information of the SSL layer.
>
> Ciao, Michael.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org <http://www.openssl.org/>
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SSL Communication using BIO

harshvir
I am using SSL_is_init_finished this API function to check if init is finished.
But its not even reaching that code.
The very first call i made to SS_Connect, and after that i read data from w_BIO and then sending that on TCP, and on getting that data, server gives this error.
and for debugging purposes i am using openssl s_server with -msg enabled so that i can see whats going on, I am not using my server for this, and i think that one supports sslv3.
this is the error i get
 
180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
 
// Harshvir

 
On Wed, May 25, 2011 at 12:08 PM, Gayathri Sundar <[hidden email]> wrote:
Okay, u r writing the client, so you need to do connect, now ssl_connect is going to do the complete SSL handshake, which involves multiple read and writes, now since you are using memory bios, ssl connect is going to read from the r_membio and write into the w_membio. The data has to go out the tcp fd you have created and connected with the server. So its ur duty to take data out the w_membio and do a tcp_send(). That is what I meant by saying "write". Application data transfer may be initiated by your server once the ssl connect is thro. There are apis which tell if ssl connect is completed and ssl connect itself will return ssl_success, until then u will be getting the want_read and want_write error codes, so your state machine would be in the "connect pending" state until ssl connect returns success. Please understand that SSL_Connect itself will be called multiple times in the asyn architecture. 

BTW if the protocol nego has failed, perhaps you need to see what the server supports, maybe it understands only tls and not sslv3 etc.

thanks
--Gayathri

On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu <[hidden email]> wrote:
Thanks Gayatri.
This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side.
What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, "unknown protocol"
Thanks.
 
// Harshvir
On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar <[hidden email]> wrote:
So finally u have agreed to my initial suggestion of state machines :)

The basic steps in terms of am algorithm are as follows

A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and complete the tcp handshake
D.  Once tcp connect is done, u have an fd on which u receive and send data
E. Initialize ur state machine for ssl connect pending
F.  Take the buffer to be sent, copy it to the memory write bio,
encrypt it using ssl connect, then do a tcp send
G. While still connect pending, do tcp read, copy to read bio, call
ssl connect to decrypt.

Thanks
--Gayathri

On Wednesday, May 25, 2011, Harshvir Sidhu <[hidden email]> wrote:
> Hi,
>    I am trying to implement State Machine based on the demo application, that is a server code.
>    Like i am writting the client side.
>    So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error.
>
> 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>
>    My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only.
>
>
> Thanks.
>
> // Harshvir
>
> 2011/5/25 Michael Ströder <[hidden email]>
>
> Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication information of the SSL layer.
>
> Ciao, Michael.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org <http://www.openssl.org/>
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



12