SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Alex Hultman
Hi Benjamin,

Thanks for the answer. I actually found a working solution just a couple of minutes after I posted but I still wanted to hear what you recommended. I just did ssl->references++; and also the same on the attached BIO's before SSL_set_fd. This works perfectly and I'm able to take over the SSL connection even after the original server "destroys" their socket.

I guess I just need to use SSL_up_ref when compiling for OpenSSL 1.1.0 then.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Benjamin Kaduk
On 04/25/2016 10:18 PM, Alex Hultman wrote:
Hi Benjamin,

Thanks for the answer. I actually found a working solution just a couple of minutes after I posted but I still wanted to hear what you recommended. I just did ssl->references++; and also the same on the attached BIO's before SSL_set_fd. This works perfectly and I'm able to take over the SSL connection even after the original

And now you have a subtle threading bug that will only manifest under load -- do not mix ordinary increments (references++) with locked or otherwise atomic operations (CRYPTO_add).

server "destroys" their socket.

I guess I just need to use SSL_up_ref when compiling for OpenSSL 1.1.0 then.


You'll need to switch APIs for 1.1.0, yes.

-Ben

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

Viktor Dukhovni
In reply to this post by Alex Hultman

> On Apr 25, 2016, at 11:18 PM, Alex Hultman <[hidden email]> wrote:
>
> Thanks for the answer. I actually found a working solution just a couple of minutes after I posted but I still wanted to hear what you recommended. I just did ssl->references++; and also the same on the attached BIO's before SSL_set_fd. This works perfectly and I'm able to take over the SSL connection even after the original server "destroys" their socket.

I would not also increment the reference counts on the BIOs except for any that are explicitly freed by the other thread.  You be introducing a memory and file descriptor leak.

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev