On 02/03/2018 06:44, Viktor Dukhovni wrote:
On Mar 1, 2018, at 10:39 PM, Felipe Gasper <felipe@xxxxxxxxxxxxxxxx> wrote:
Hi all,
I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.
What is the easiest way to send *just* a Hello Request from a server?
You actually have a more severe problem. The session is already established
and so the renegotiation must happen over an already encrypted channel. But
there's no API to export the cryptographic state for use in the new executable.
I believe you're out of luck. I believe that OpenSSL does not support migration
of live connections between address spaces.
One workaround could be to do a fork()/exec(), then have the exec-ed
address space talk to the un-forked() parent address space in order to
get the renegotiation encrypted with the previously negotiated keys.
Another option could be to do a fork()/exec() with the parent process
maintaining full control of the SSL/TLS encryption, passing the
plaintext data to/from the child via pipes. Perhaps the parent process
(or other piped process) could be a special process dedicated to doing
encryption/decryption, thus completely shielding the keys (long term and
short term) from any vulnerabilities in the data handling process.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
