Quantcast

forking server question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

forking server question

Robert Cousins
Please excuse what is a simple question: what is the proper way to clean
up in the parent and child when writing a forking server using OpenSSL?
(I expected this would be a FAQ, but I couldn't find it.)  I have code
which works, but I have the nagging feeling that I'm leaking on the
parent side. Here is my main program:

int
main(int argc, char *argv[])
{
  BIO     *acc;
  SSL_CTX *ctx;
  install_sigchld();            /* Install signal handlers */
  init_OpenSSL(  );            /* Initialize library, RNG, etc. */
  ctx = setup_server_ctx(  );        /* Build Context */
  if (!(acc = BIO_new_accept(PORT)))    /* Get ready for connection */
    int_error("Error creating server socket");
  if (BIO_do_accept(acc) <= 0)        /* Bind to socket */
    int_error("Error binding server socket");
  while (1) {
    SSL     *ssl;
    int fd = -1;
    if (BIO_do_accept(acc) <= 0)     /* Accept the connection */
      int_error("Error accepting connection");
    BIO *client = BIO_pop(acc);        /* get the client off BIO */
    switch (fork()) {
    case -1: err(1,"Fork failed");     /* error */
    default:                /* parent */
      BIO_get_fd(client,&fd);        /* close the socket on parent side */
      close(fd);
      break;
    case 0:                /* child */
      if (!(ssl = SSL_new(ctx)))    /* create new context */
    int_error("Error creating SSL context");
      SSL_set_accept_state(ssl);
      SSL_set_bio(ssl, client, client);
      do_work(ssl);            /* go do some work */
      exit(0);                /* leave (we'll get sigchld) */
    }                  
  }
  SSL_CTX_free(ctx);
  BIO_free(acc);
  return 0;
}


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: forking server question

OpenSSL - User mailing list
> Please excuse what is a simple question: what is the proper way to clean up
> in the parent and child when writing a forking server using OpenSSL?

It's not simple.

Can you have the parent just do socket stuff, and then accept/fork and have the child do all the OpenSSL calls?

Having two processes, both with OpenSSL state, are going to be hard to handle.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: forking server question

Jakob Bohm-7
On 06/05/2017 14:19, Salz, Rich via openssl-users wrote:
>> Please excuse what is a simple question: what is the proper way to clean up
>> in the parent and child when writing a forking server using OpenSSL?
> It's not simple.
>
> Can you have the parent just do socket stuff, and then accept/fork and have the child do all the OpenSSL calls?
That would violate best security practice regarding chroot()
calls and loading of private keys. (Because the secure sequence
is load private keys (possibly with one-time external decryption
assistance), bind to privileged port (such as 443 or 25),
chroot/drop all privileges, accept connection, fork(), handshake,
data exchange).

Things become even more complicated if a program wants to do a
second level of per message privilege drops, as seen in the exim4
mail server.
>
> Having two processes, both with OpenSSL state, are going to be hard to handle.
>
>
Make that N processes, and understand why this should be a FAQ.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: forking server question

OpenSSL - User mailing list

> Make that N processes, and understand why this should be a FAQ.

Have no problem with adding to the FAQ.

It's likely to be our next code-health target :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...