renegotiate across exec()

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

renegotiate across exec()

Felipe Gasper-2
Hi all,

        I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.

        What is the easiest way to send *just* a Hello Request from a server?

        Thanks!

-Felipe Gasper
Mississauga, Ontario
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: renegotiate across exec()

Viktor Dukhovni


> On Mar 1, 2018, at 10:39 PM, Felipe Gasper <[hidden email]> wrote:
>
> Hi all,
>
> I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.
>
> What is the easiest way to send *just* a Hello Request from a server?

You actually have a more severe problem.  The session is already established
and so the renegotiation must happen over an already encrypted channel.  But
there's no API to export the cryptographic state for use in the new executable.

I believe you're out of luck.  I believe that OpenSSL does not support migration
of live connections between address spaces.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: renegotiate across exec()

Jakob Bohm-7
On 02/03/2018 06:44, Viktor Dukhovni wrote:

>
>> On Mar 1, 2018, at 10:39 PM, Felipe Gasper <[hidden email]> wrote:
>>
>> Hi all,
>>
>> I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.
>>
>> What is the easiest way to send *just* a Hello Request from a server?
> You actually have a more severe problem.  The session is already established
> and so the renegotiation must happen over an already encrypted channel.  But
> there's no API to export the cryptographic state for use in the new executable.
>
> I believe you're out of luck.  I believe that OpenSSL does not support migration
> of live connections between address spaces.
>
One workaround could be to do a fork()/exec(), then have the exec-ed
address space talk to the un-forked() parent address space in order to
get the renegotiation encrypted with the previously negotiated keys.

Another option could be to do a fork()/exec() with the parent process
maintaining full control of the SSL/TLS encryption, passing the
plaintext data to/from the child via pipes.  Perhaps the parent process
(or other piped process) could be a special process dedicated to doing
encryption/decryption, thus completely shielding the keys (long term and
short term) from any vulnerabilities in the data handling process.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: renegotiate across exec()

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
>    I believe you're out of luck.  I believe that OpenSSL does not support migration
    of live connections between address spaces.
 
Yeah, the closest you can come is using TLS sessions or tickets.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: renegotiate across exec()

Felipe Gasper-2
In reply to this post by Viktor Dukhovni

> On Mar 2, 2018, at 12:44 AM, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Mar 1, 2018, at 10:39 PM, Felipe Gasper <[hidden email]> wrote:
>>
>> Hi all,
>>
>> I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.
>>
>> What is the easiest way to send *just* a Hello Request from a server?
>
> You actually have a more severe problem.  The session is already established
> and so the renegotiation must happen over an already encrypted channel.  But
> there's no API to export the cryptographic state for use in the new executable.
>
> I believe you're out of luck.  I believe that OpenSSL does not support migration
> of live connections between address spaces.

Doh!

Eh well. Thank you for clarifying.

-Felipe
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users