SSL_renegotiation using non block sockets
Locked
SSL_renegotiation using non block sockets
 
|
Hi,
I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
|
|
Hi I did the same thing yesterday myself but because I wanted to implement a
timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //------------------------- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2("Running SSL non-blocking connection timeout = %ld", timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2("connect run return value %d.", nRet); LogInformation1("Starting SSL polling loop"); // get the start time DWORD starttime = timeGetTime(); while ((nRet==SSL_ERROR_WANT_READ || nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) { // Back off to let the connection happen. //Sleep(50); // reiterate the connection nRet = SSL_connect(ssl); if (nRet != 1) nRet = SSL_get_error(ssl, nRet); // check for timeout if ((timeGetTime() - starttime >= timeout) || m_signalled) { // return an error nRet = -1; break; } } LogInformation2("Finished polling loop signalled? %d", m_signalled); // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { LogInformation2("Successful connection made! returning %d.", nRet); // turn off non-blocking mode, back to blocking mode for the rest // of the connection iMode = 0; ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); } else { // just a log the error, remember logging disappears when compiled // without LOG_BUILD defined. LogInformation2("Timeout occurred returning %d.", nRet); } } // return connection state. return nRet; } -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email] Sent: Thursday, 2 June 2005 2:14 PM To: [hidden email] Subject: SSL_renegotiation using non block sockets Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
RE: SSL_renegotiation using non block sockets
|
|
In reply to this post by Gayathri Sundar-2
Thanks pj, the code was real helpful.
Just one minor clarification, once a call to SSL_renegotiate is made, should I check the protocol status by calling SSL_accept (mine is server) within the while loop you have? I have gone into an "accept_pending" state and calling SSL_accept until it returns with a 1..is this correct? Thanks --Gayathri Hi I did the same thing yesterday myself but because I wanted to implement a timeout solution as well as quick shutdown of my COM object via object notification. You might be able to hack my work ... this is what I came up with... It takes a blocking socket, makes it un-blocking... negotiates with timeout and signalling considerations and then passes back normal error codes... // SSLConnectWithTimeout, connect to a remote server with timeout int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { //------------------------- // Set the socket I/O mode: In this case FIONBIO // enables or disables the blocking mode for the // socket based on the numerical value of iMode. // If iMode = 0, blocking is enabled; // If iMode != 0, non-blocking mode is enabled. int iMode = 1; LogInformation2("Running SSL non-blocking connection timeout = %ld", timeout); if (timeout) { // establish non- blocking mode to enable us to time out. ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); } // make the connection attempt int nRet = SSL_connect(ssl); // if we are using a timeout then ... if (timeout) { // convert nRet to a real error if necessary if (nRet != 1) nRet = SSL_get_error(ssl, nRet); LogInformation2("connect run return value %d.", nRet); LogInformation1("Starting SSL polling loop"); // get the start time DWORD starttime = timeGetTime(); while ((nRet==SSL_ERROR_WANT_READ || nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) { // Back off to let the connection happen. //Sleep(50); // reiterate the connection nRet = SSL_connect(ssl); if (nRet != 1) nRet = SSL_get_error(ssl, nRet); // check for timeout if ((timeGetTime() - starttime >= timeout) || m_signalled) { // return an error nRet = -1; break; } } LogInformation2("Finished polling loop signalled? %d", m_signalled); // if we made it to here with nRet = 1 we are SSL connected if (nRet == 1) { LogInformation2("Successful connection made! returning %d.", nRet); // turn off non-blocking mode, back to blocking mode for the rest // of the connection iMode = 0; ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); } else { // just a log the error, remember logging disappears when compiled // without LOG_BUILD defined. LogInformation2("Timeout occurred returning %d.", nRet); } } // return connection state. return nRet; } -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email] Sent: Thursday, 2 June 2005 2:14 PM To: [hidden email] Subject: SSL_renegotiation using non block sockets Hi, I am using Non Blocking sockets, and would like to know the behaviour wrt SSL_renegotiation. Once I make a call to do_handshake, as the FD is non blocking it will return immediately with a success, but from the application's point of view how will it come to know that the renegotiation in thro' so that it can call SSL_write/SSL_read? Should the application poll on that do_handshake flag within the ssl control block? Any suggestion/help appreciated a lot. Thanks --Gayathri ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Re: SSL_renegotiation using non block sockets
|
|
HI,
SSL_accept/SSL_connect is something that we use to establish an initial SSL connection and we use SSL-renegotiate/SSL_do_handshake based on timers we install for SSL for re-negotiating KEYs such that hacking the SSL connection is robust. Having said that.. I assume you already have an SSL connection established and want to implement re-negotiation in your application. It should go like this.... ( OPENSSL says for re-negotiation we should make the underlying transport BLOCKING) If openssl version is < 0.9.7 ************************************* SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( ssl->state != SSL_ST_OK) { /* you may want to implement timeout here, if you want to */ ssl->state |= SSL_ST_ACCEPT; SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; **************************************************** IF openssl version > 0.9.7 ***************************************************** SSL *ssl; int fd; fd = SSL_get_fd(ssl); set_blocking(fd); SSL_renegotiate(ssl); SSL_do_handshake(ssl); while( SSL_renegotiate_pending(ssl)) { /* you may want to implement timeout here, if you want to */ SSL_do_handshake(ssl); } set_nonblocking(fd); return SUCCESS; *************************************************************** set_blocking and set_nonblocking are functions that can be implemented very easily using fcntl. HTH, Lokesh. On 6/2/05, [hidden email] <[hidden email]> wrote: > Thanks pj, the code was real helpful. > > Just one minor clarification, once a call to SSL_renegotiate is made, > should I check the protocol status by calling SSL_accept (mine is server) > within the while loop you have? I have gone into an "accept_pending" > state and calling SSL_accept until it returns with a 1..is this correct? > > Thanks > --Gayathri > > Hi I did the same thing yesterday myself but because I wanted to implement a > timeout solution as well as quick shutdown of my COM object via object > notification. You might be able to hack my work ... this is what I came up > with... It takes a blocking socket, makes it un-blocking... negotiates with > timeout and signalling considerations and then passes back normal error > codes... > > > > // SSLConnectWithTimeout, connect to a remote server with timeout > int CHTTP::SSLConnectWithTimeout(DWORD timeout, SOCKET s, SSL *ssl) { > //------------------------- > // Set the socket I/O mode: In this case FIONBIO > // enables or disables the blocking mode for the > // socket based on the numerical value of iMode. > // If iMode = 0, blocking is enabled; > // If iMode != 0, non-blocking mode is enabled. > int iMode = 1; > > LogInformation2("Running SSL non-blocking connection timeout = %ld", > timeout); > if (timeout) { > // establish non- blocking mode to enable us to time out. > ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); > } > > // make the connection attempt > > int nRet = SSL_connect(ssl); > > // if we are using a timeout then ... > if (timeout) { > // convert nRet to a real error if necessary > if (nRet != 1) > nRet = SSL_get_error(ssl, nRet); > > LogInformation2("connect run return value %d.", nRet); > LogInformation1("Starting SSL polling loop"); > // get the start time > DWORD starttime = timeGetTime(); > while ((nRet==SSL_ERROR_WANT_READ || > nRet==SSL_ERROR_WANT_WRITE) && !isStopEventSignaled()) { > > // Back off to let the connection happen. > //Sleep(50); > // reiterate the connection > nRet = SSL_connect(ssl); > if (nRet != 1) > nRet = SSL_get_error(ssl, nRet); > > // check for timeout > if ((timeGetTime() - starttime >= timeout) || > m_signalled) { > // return an error > nRet = -1; > break; > } > } > LogInformation2("Finished polling loop signalled? %d", > m_signalled); > // if we made it to here with nRet = 1 we are SSL connected > if (nRet == 1) { > LogInformation2("Successful connection made! > returning %d.", nRet); > // turn off non-blocking mode, back to blocking mode > for the rest > // of the connection > iMode = 0; > ioctlsocket(s, FIONBIO, (u_long FAR*) &iMode); > } > else { > // just a log the error, remember logging disappears > when compiled > // without LOG_BUILD defined. > LogInformation2("Timeout occurred returning %d.", > nRet); > } > } > // return connection state. > return nRet; > } > > -----Original Message----- > From: [hidden email] > [mailto:[hidden email]] On Behalf Of [hidden email] > Sent: Thursday, 2 June 2005 2:14 PM > To: [hidden email] > Subject: SSL_renegotiation using non block sockets > > Hi, > > I am using Non Blocking sockets, and would like to > know the behaviour wrt SSL_renegotiation. > Once I make a call to do_handshake, as the FD is non > blocking it will return immediately with a success, > but from the application's point of view how will it come > to know that the renegotiation in thro' so that it can > call SSL_write/SSL_read? Should the application poll on that > do_handshake flag within the ssl control block? > > Any suggestion/help appreciated a lot. > > Thanks > --Gayathri > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.322 / Virus Database: 267.4.0 - Release Date: 1/06/2005 > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] > OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
«
Return to OpenSSL - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |