SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Alex Hultman
Hi,

I'm having trouble "duping" an SSL connection. I have an SSL *pointer that is going to be SSL_free'd, so I need to clone it or up the ref count or somehow make it stay alive. I see that in OpenSSL 1.1.0 it seems you added the SSL_up_ref - is there any equivalent functionality in 1.0.2? I also see that the documentation of SSL_dup has changed in 1.1.0 to a much more strict one (one that does not suit my needs).

What I'm basically in need of is some way of cloning the connection just like UNIX dup can duplicate a file descriptor so that a new server can use the dup'ed fd while the original server can go ahead and close the original fd without destroying the underlying connection. I need the equivalent in OpenSSL. I tried this:

(0. Have some other HTTPS server accept & establish the SSL pointer)

1. get the SSL pointer, SSL_dup it
2. get the fd, UNIX dup it
3. SSL_set_fd on the duped SSL pointer to the duped fd
4. SSL_write & SSL_shutdown for demo

This gives me SSL_ERROR_BAD_MAC_READ errors on the client. If I skip SSL_dup it works, and I can SSL_write a message that shows up in the client. But like I mentioned, the original server is going to SSL_free the SSL pointer I use, so I need to clone it somehow.

I would be thankful for any clarifications on this. I've been skimming through the docs for 2 days now and it seems very ambiguous.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Benjamin Kaduk
On 04/23/2016 12:26 AM, Alex Hultman wrote:
Hi,

I'm having trouble "duping" an SSL connection. I have an SSL *pointer that is going to be SSL_free'd, so I need to clone it or up the ref count or somehow make it stay alive. I see that in OpenSSL 1.1.0 it seems you added the SSL_up_ref - is there any equivalent functionality in 1.0.2? I also see that the documentation of SSL_dup has changed in 1.1.0 to a much more strict one (one that does not suit my needs).


The SSL_up_ref() on master is just a thin wrapper around CRYPTO_atomic_add() on s->references, which is needed because the SSL structure has become opaque.  You can do the same thing in 1.0.2 by open-coding the corresponding call to CRYPTO_add() (master has changed the atomics APIs as well).  That would be my recommendation in the scenario you describe, as it allows the original consumer to SSL_free() its handle while the second one continues to use the SSL object.

-Ben

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev