Re: SSL_CTX_set_cert_verify_callback and certificate access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 9, 2019 at 6:54 PM Corey Minyard <minyard@xxxxxxx> wrote:
> My first inclination for a secure connection was to use ssh. However,
> ssh is not as well suited for this as I would have liked, and all the
> ssh libraries are tied to a file descriptor in ways that are not easily
> fixable, and thus can't be used on top of an abstract connection, which
> is what I need.  That was rather disappointing, as it would have been
> really nice to for users to just be able to ssh to ser2net.

Not to second guess your finding that ssh isn't working well for you,
you know your own code best, but for my own interest, I'm curious what
about the fd is a problem? Perhaps the mismatch between X.509+TLS and
the auth model you want are enough to reconsider your abstractions?
Generating certs is pretty annoying and fragile, and using ssh clients
is pretty easy!

It sounds like your are building the abstractions (in C?) inside the
sernet process, but maybe your abstraction can be an fd, and the
"layers" can be child processes that connect fd-to-fd, sortof
qmail-like? Or, ssh should be able to execute an arbitrary command on
the server, and that command should be able to do anything it wants
with the ssh-facing socket descriptors, perhaps sending data to/from
your server which can then move the data through the in-process
abstractions?

Cheers,
Sam
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux