Serialize/Deserialize SSL state

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Serialize/Deserialize SSL state

OpenSSL - User mailing list

Is there a way to serialize and deserialize the ssl_st state (i.e. including any child objects)?

 

Background: I would like to handoff all the SSL state (along my own managed state, file descriptors, etc) to another Linux running process (I will handle the IPC handoff).  The connection already had its handshake completed, app data flow had already occurred (i.e. it is not a new or early’ish context).  So, trying to see if it is possible to serialize the openssl state, shove it through a unix domain socket to the target process and then have the target process unpack the openssl state and resume IO.

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Serialize/Deserialize SSL state

OpenSSL - User mailing list
Not without a lot of work. It’s not part of the current API.

We have tried doing an internal implementation; it was over 1K of new code, and it wasn’t complete.
--
-Todd Short
// “One if by land, two if by sea, threeif by the Internet."

On Aug 9, 2019, at 3:42 PM, Osama Mazahir via openssl-users <[hidden email]> wrote:

Is there a way to serialize and deserialize the ssl_st state (i.e. including any child objects)?
 
Background: I would like to handoff all the SSL state (along my own managed state, file descriptors, etc) to another Linux running process (I will handle the IPC handoff).  The connection already had its handshake completed, app data flow had already occurred (i.e. it is not a new or early’ish context).  So, trying to see if it is possible to serialize the openssl state, shove it through a unix domain socket to the target process and then have the target process unpack the openssl state and resume IO.


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Serialize/Deserialize SSL state

Felipe Gasper-2
In reply to this post by OpenSSL - User mailing list

> On Aug 9, 2019, at 3:42 PM, Osama Mazahir via openssl-users <[hidden email]> wrote:
>
> Is there a way to serialize and deserialize the ssl_st state (i.e. including any child objects)?
>  
> Background: I would like to handoff all the SSL state (along my own managed state, file descriptors, etc) to another Linux running process (I will handle the IPC handoff).  The connection already had its handshake completed, app data flow had already occurred (i.e. it is not a new or early’ish context).  So, trying to see if it is possible to serialize the openssl state, shove it through a unix domain socket to the target process and then have the target process unpack the openssl state and resume IO.

For what it’s worth, I have also wished for something like this, where I could pass a file descriptor as well as the OpenSSL state over a socket to a separate process.

-Felipe Gasper
Mississauga, Ontario
Reply | Threaded
Open this post in threaded view
|

Re: Serialize/Deserialize SSL state

OpenSSL - User mailing list
On 09/08/2019 23:21, Felipe Gasper wrote:
>> On Aug 9, 2019, at 3:42 PM, Osama Mazahir via openssl-users <[hidden email]> wrote:
>>
>> Is there a way to serialize and deserialize the ssl_st state (i.e. including any child objects)?
>>  
>> Background: I would like to handoff all the SSL state (along my own managed state, file descriptors, etc) to another Linux running process (I will handle the IPC handoff).  The connection already had its handshake completed, app data flow had already occurred (i.e. it is not a new or early’ish context).  So, trying to see if it is possible to serialize the openssl state, shove it through a unix domain socket to the target process and then have the target process unpack the openssl state and resume IO.
> For what it’s worth, I have also wished for something like this, where I could pass a file descriptor as well as the OpenSSL state over a socket to a separate process.
>
A possible workaround is to run the SSL code in a dedicated process
and hand around a pipe or unix domain socket carrying the plaintext.

If this is server side, the SSL process could be run under a
dedicated UID which has exclusive access to load the private key etc.,
but no access to the stored application data.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded