SSL_renegotiation using non block sockets

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_renegotiation using non block sockets

Gayathri Sundar-2
Hi,

I am using Non Blocking sockets, and would like to
know the behaviour wrt SSL_renegotiation.
Once I make a call to do_handshake, as the FD is non
blocking it will return immediately with a success,
but from the application's point of view how will it come
to know that the renegotiation in thro' so that it can
call SSL_write/SSL_read? Should the application poll on that
do_handshake flag within the ssl control block?

Any suggestion/help appreciated a lot.

Thanks
--Gayathri
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL_renegotiation using non block sockets

PJ-7
Hi I did the same thing yesterday myself but because I wanted to implement a
timeout solution as well as quick shutdown of my COM object via object
notification.  You might be able to hack my work ... this is what I came up
with... It takes a blocking socket, makes it un-blocking... negotiates with
timeout and signalling considerations and then passes back normal error
codes...



// SSLConnectWithTimeout, connect to a remote server with timeout
int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
        //-------------------------
        // Set the socket I/O mode: In this case FIONBIO
        // enables or disables the blocking mode for the
        // socket based on the numerical value of iMode.
        // If iMode = 0, blocking is enabled;
        // If iMode != 0, non-blocking mode is enabled.
        int iMode = 1;

        LogInformation2("Running SSL non-blocking connection timeout = %ld",
timeout);
        if (timeout) {
                // establish non- blocking mode to enable us to time out.
                ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
        }

        // make the connection attempt
       
        int nRet = SSL_connect(ssl);

        // if we are using a timeout then ...
        if (timeout) {
                // convert nRet to a real error if necessary
                if (nRet != 1)
                        nRet = SSL_get_error(ssl, nRet);

                LogInformation2("connect run return value %d.", nRet);
                LogInformation1("Starting SSL polling loop");
                // get the start time
                DWORD starttime = timeGetTime();
                while ((nRet==SSL_ERROR_WANT_READ ||
nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {
                       
                        // Back off to let the connection happen.
                        //Sleep(50);
                        // reiterate the connection
                        nRet = SSL_connect(ssl);
                        if (nRet != 1)
                                nRet = SSL_get_error(ssl, nRet);

                        // check for timeout
                        if ((timeGetTime() - starttime >= timeout) ||
m_signalled) {
                                // return an error
                                nRet = -1;
                                break;
                        }
                }
                LogInformation2("Finished polling loop signalled? %d",
m_signalled);
                // if we made it to here with nRet = 1 we are SSL connected
                if (nRet == 1) {
                        LogInformation2("Successful connection made!
returning %d.", nRet);
                        // turn off non-blocking mode, back to blocking mode
for the rest
                        // of the connection
                        iMode = 0;
                        ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
                }
                else {
                        // just a log the error, remember logging disappears
when compiled
                        // without LOG_BUILD defined.
                        LogInformation2("Timeout occurred returning %d.",
nRet);
                }
        }
        // return connection state.
        return nRet;
}

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, 2 June 2005 2:14 PM
To: [hidden email]
Subject: SSL_renegotiation using non block sockets

Hi,

I am using Non Blocking sockets, and would like to
know the behaviour wrt SSL_renegotiation.
Once I make a call to do_handshake, as the FD is non
blocking it will return immediately with a success,
but from the application's point of view how will it come
to know that the renegotiation in thro' so that it can
call SSL_write/SSL_read? Should the application poll on that
do_handshake flag within the ssl control block?

Any suggestion/help appreciated a lot.

Thanks
--Gayathri
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
 

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL_renegotiation using non block sockets

Gayathri Sundar-2
In reply to this post by Gayathri Sundar-2
Thanks pj, the code was real helpful.

Just one minor clarification, once a call to SSL_renegotiate is made,
should I check the protocol status by calling SSL_accept (mine is server)
within the while loop you have? I have gone into an "accept_pending"
state and calling SSL_accept until it returns with a 1..is this correct?

Thanks
--Gayathri

Hi I did the same thing yesterday myself but because I wanted to implement a
timeout solution as well as quick shutdown of my COM object via object
notification.  You might be able to hack my work ... this is what I came up
with... It takes a blocking socket, makes it un-blocking... negotiates with
timeout and signalling considerations and then passes back normal error
codes...



// SSLConnectWithTimeout, connect to a remote server with timeout
int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
        //-------------------------
        // Set the socket I/O mode: In this case FIONBIO
        // enables or disables the blocking mode for the
        // socket based on the numerical value of iMode.
        // If iMode = 0, blocking is enabled;
        // If iMode != 0, non-blocking mode is enabled.
        int iMode = 1;

        LogInformation2("Running SSL non-blocking connection timeout = %ld",
timeout);
        if (timeout) {
                // establish non- blocking mode to enable us to time out.
                ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
        }

        // make the connection attempt

        int nRet = SSL_connect(ssl);

        // if we are using a timeout then ...
        if (timeout) {
                // convert nRet to a real error if necessary
                if (nRet != 1)
                        nRet = SSL_get_error(ssl, nRet);

                LogInformation2("connect run return value %d.", nRet);
                LogInformation1("Starting SSL polling loop");
                // get the start time
                DWORD starttime = timeGetTime();
                while ((nRet==SSL_ERROR_WANT_READ ||
nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {

                        // Back off to let the connection happen.
                        //Sleep(50);
                        // reiterate the connection
                        nRet = SSL_connect(ssl);
                        if (nRet != 1)
                                nRet = SSL_get_error(ssl, nRet);

                        // check for timeout
                        if ((timeGetTime() - starttime >= timeout) ||
m_signalled) {
                                // return an error
                                nRet = -1;
                                break;
                        }
                }
                LogInformation2("Finished polling loop signalled? %d",
m_signalled);
                // if we made it to here with nRet = 1 we are SSL connected
                if (nRet == 1) {
                        LogInformation2("Successful connection made!
returning %d.", nRet);
                        // turn off non-blocking mode, back to blocking mode
for the rest
                        // of the connection
                        iMode = 0;
                        ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
                }
                else {
                        // just a log the error, remember logging disappears
when compiled
                        // without LOG_BUILD defined.
                        LogInformation2("Timeout occurred returning %d.",
nRet);
                }
        }
        // return connection state.
        return nRet;
}

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, 2 June 2005 2:14 PM
To: [hidden email]
Subject: SSL_renegotiation using non block sockets

Hi,

I am using Non Blocking sockets, and would like to
know the behaviour wrt SSL_renegotiation.
Once I make a call to do_handshake, as the FD is non
blocking it will return immediately with a success,
but from the application's point of view how will it come
to know that the renegotiation in thro' so that it can
call SSL_write/SSL_read? Should the application poll on that
do_handshake flag within the ssl control block?

Any suggestion/help appreciated a lot.

Thanks
--Gayathri
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005


--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL_renegotiation using non block sockets

Lokesh Kumar
HI,

SSL_accept/SSL_connect is something that we use to establish an
initial SSL connection and we use SSL-renegotiate/SSL_do_handshake
based on timers
we install for SSL for re-negotiating KEYs such that hacking the SSL
connection is robust.

Having said that.. I assume you already have an SSL connection established and
want to implement re-negotiation in your application.

It should go like this....
( OPENSSL says for re-negotiation we should make the underlying
transport BLOCKING)

If openssl version is  < 0.9.7
*************************************
SSL *ssl;
int fd;

fd = SSL_get_fd(ssl);

set_blocking(fd);

SSL_renegotiate(ssl);

SSL_do_handshake(ssl);

while( ssl->state != SSL_ST_OK)
{
       /* you may want to implement timeout here, if you want to */

         ssl->state |= SSL_ST_ACCEPT;
         SSL_do_handshake(ssl);
}

set_nonblocking(fd);

return SUCCESS;
****************************************************

IF openssl version > 0.9.7
*****************************************************
SSL *ssl;
int fd;

fd = SSL_get_fd(ssl);

set_blocking(fd);

SSL_renegotiate(ssl);

SSL_do_handshake(ssl);

while( SSL_renegotiate_pending(ssl))
{
       /* you may want to implement timeout here, if you want to */

        SSL_do_handshake(ssl);
}

set_nonblocking(fd);

return SUCCESS;
***************************************************************

set_blocking and set_nonblocking are functions that can be implemented
very easily using fcntl.

HTH,
Lokesh.


On 6/2/05, [hidden email] <[hidden email]> wrote:

> Thanks pj, the code was real helpful.
>
> Just one minor clarification, once a call to SSL_renegotiate is made,
> should I check the protocol status by calling SSL_accept (mine is server)
> within the while loop you have? I have gone into an "accept_pending"
> state and calling SSL_accept until it returns with a 1..is this correct?
>
> Thanks
> --Gayathri
>
> Hi I did the same thing yesterday myself but because I wanted to implement a
> timeout solution as well as quick shutdown of my COM object via object
> notification.  You might be able to hack my work ... this is what I came up
> with... It takes a blocking socket, makes it un-blocking... negotiates with
> timeout and signalling considerations and then passes back normal error
> codes...
>
>
>
> // SSLConnectWithTimeout, connect to a remote server with timeout
> int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) {
>        //-------------------------
>        // Set the socket I/O mode: In this case FIONBIO
>        // enables or disables the blocking mode for the
>        // socket based on the numerical value of iMode.
>        // If iMode = 0, blocking is enabled;
>        // If iMode != 0, non-blocking mode is enabled.
>        int iMode = 1;
>
>        LogInformation2("Running SSL non-blocking connection timeout = %ld",
> timeout);
>        if (timeout) {
>                // establish non- blocking mode to enable us to time out.
>                ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
>        }
>
>        // make the connection attempt
>
>        int nRet = SSL_connect(ssl);
>
>        // if we are using a timeout then ...
>        if (timeout) {
>                // convert nRet to a real error if necessary
>                if (nRet != 1)
>                        nRet = SSL_get_error(ssl, nRet);
>
>                LogInformation2("connect run return value %d.", nRet);
>                LogInformation1("Starting SSL polling loop");
>                // get the start time
>                DWORD starttime = timeGetTime();
>                while ((nRet==SSL_ERROR_WANT_READ ||
> nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) {
>
>                        // Back off to let the connection happen.
>                        //Sleep(50);
>                        // reiterate the connection
>                        nRet = SSL_connect(ssl);
>                        if (nRet != 1)
>                                nRet = SSL_get_error(ssl, nRet);
>
>                        // check for timeout
>                        if ((timeGetTime() - starttime >= timeout) ||
> m_signalled) {
>                                // return an error
>                                nRet = -1;
>                                break;
>                        }
>                }
>                LogInformation2("Finished polling loop signalled? %d",
> m_signalled);
>                // if we made it to here with nRet = 1 we are SSL connected
>                if (nRet == 1) {
>                        LogInformation2("Successful connection made!
> returning %d.", nRet);
>                        // turn off non-blocking mode, back to blocking mode
> for the rest
>                        // of the connection
>                        iMode = 0;
>                        ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode);
>                }
>                else {
>                        // just a log the error, remember logging disappears
> when compiled
>                        // without LOG_BUILD defined.
>                        LogInformation2("Timeout occurred returning %d.",
> nRet);
>                }
>        }
>        // return connection state.
>        return nRet;
> }
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of [hidden email]
> Sent: Thursday, 2 June 2005 2:14 PM
> To: [hidden email]
> Subject: SSL_renegotiation using non block sockets
>
> Hi,
>
> I am using Non Blocking sockets, and would like to
> know the behaviour wrt SSL_renegotiation.
> Once I make a call to do_handshake, as the FD is non
> blocking it will return immediately with a success,
> but from the application's point of view how will it come
> to know that the renegotiation in thro' so that it can
> call SSL_write/SSL_read? Should the application poll on that
> do_handshake flag within the ssl control block?
>
> Any suggestion/help appreciated a lot.
>
> Thanks
> --Gayathri
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]