Nikos Mavroyanopoulos | 15 Aug 11:36 2002

Re: passing SSL connection to another process

On Tue, Jul 30, 2002 at 06:39:40PM +0300, Timo Sirainen wrote:

> My server is made of two processes, one handling the login and another
> handling the actual connection after that, using unix socket to pass the fd
> to the other process.
> But now that I'm beginning to implement SSL/TLS support for it, it's
> beginning to look a bit difficult.. Is there some way I could save the
> gnutls state and transfer it to another process with the fd? Or some other
> hopefully not too kludgy way to do it?

Unless the other processes are fork()ed, you cannot transfer
the gnutls state to other processes. 

> Of course, I'll anyway support doing this through SSL proxy process which
> itself connects to the actual server process with unix sockets, but that
> means extra processes..

I think that separating the connection layer process from the
authentication process is cleaner. That way the authentication
process does not send to the socket itself, but sends the packets
to the connection layer process (using IPC or something).

> Another thing that isn't quite clear from the documentation is how to use
> gnutls with nonblocking I/O. All functions returning GNUTLS_E_AGAIN should
> be called again, but I'd also need to know if it happened on read or write,
> so I could call it again at proper time. I think this is a problem only with
> gnutls_handshake()?

I don't understand the question.

(Continue reading)

Timo Sirainen | 15 Aug 12:44 2002
Picon
Picon

Re: passing SSL connection to another process

On Thu, Aug 15, 2002 at 12:36:15PM +0300, Nikos Mavroyanopoulos wrote:
> 
> > Another thing that isn't quite clear from the documentation is how to use
> > gnutls with nonblocking I/O. All functions returning GNUTLS_E_AGAIN should
> > be called again, but I'd also need to know if it happened on read or write,
> > so I could call it again at proper time. I think this is a problem only with
> > gnutls_handshake()?
> 
> I don't understand the question.

Basically: How do I create a poll() based process handling multiple SSL
connections?

If I've understood everything right, there's 3 functions that may block if
socket is in blocking mode: gnutls_record_recv(), gnutls_record_send() and
gnutls_handshake().

With nonblocking sockets, if gnutls_record_recv() doesn't read a full
packet, GNUTLS_E_AGAIN is returned. So I know it wants more data, and I call
it again once poll() says there's more data. The same goes for
gnutls_record_send().

But what about gnutls_handshake(), AFAIK it both receives data and sends
data. How should I know when to call it again? I'd want something similiar
to gnutls_record_check_pending() to tell me if handshake waits on input or
output.
Nikos Mavroyanopoulos | 15 Aug 23:45 2002

Re: passing SSL connection to another process

On Thu, Aug 15, 2002 at 01:44:23PM +0300, Timo Sirainen wrote:

> > > Another thing that isn't quite clear from the documentation is how to use
> > > gnutls with nonblocking I/O. All functions returning GNUTLS_E_AGAIN should
> > > be called again, but I'd also need to know if it happened on read or write,
> > > so I could call it again at proper time. I think this is a problem only with
> > > gnutls_handshake()?
> > I don't understand the question.
> Basically: How do I create a poll() based process handling multiple SSL
> connections?
[...]
> But what about gnutls_handshake(), AFAIK it both receives data and sends
> data. How should I know when to call it again? I'd want something similiar
> to gnutls_record_check_pending() to tell me if handshake waits on input or
> output.

Could you please check the gnutls_handshake_check_direction() function
in the cvs?

--

-- 
Nikos Mavroyanopoulos
mailto:nmav <at> gnutls.org
Timo Sirainen | 28 Aug 01:14 2002
Picon
Picon

Finishing gnutls_record_send()

Now that the nonblocking handshake seems to work, there's only one small
problem left.

How about adding gnutls_record_send_continue() or gnutls_record_flush() or
something similiar, which continues sending data from previous unfinished
gnutls_record_send()?

I can call gnutls_record_send() again too, but it's just that it wants the
data-parameter again, even while it does nothing with it since it's already
copied into internal buffers. So I've currently kludged it by giving
(void *) 1 as data since NULL isn't allowed. I'd really like to get rid of
this kludge :)
Nikos Mavroyanopoulos | 28 Aug 17:39 2002

Re: Finishing gnutls_record_send()

On Wed, Aug 28, 2002 at 02:14:49AM +0300, Timo Sirainen wrote:

> Now that the nonblocking handshake seems to work, there's only one small
> problem left.
> How about adding gnutls_record_send_continue() or gnutls_record_flush() or
> something similiar, which continues sending data from previous unfinished
> gnutls_record_send()?

The NULL pointer is now allowed if the previous call was interrupted.

--

-- 
Nikos Mavroyanopoulos
mailto:nmav <at> gnutls.org
Timo Sirainen | 29 Aug 19:50 2002
Picon
Picon

x509 certificate + private key in same PEM file

How about adding support for it?
Nikos Mavroyanopoulos | 31 Aug 10:49 2002

Re: x509 certificate + private key in same PEM file

On Thu, Aug 29, 2002 at 08:50:25PM +0300, Timo Sirainen wrote:

> How about adding support for it?
Just added in the cvs.

--

-- 
Nikos Mavroyanopoulos
mailto:nmav <at> gnutls.org

Gmane