Re: TLS over TLS for https proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Dec 02, 2024 at 02:22:48AM -0800, Thomas K wrote:

> I am still in the process of understanding how the
> network_biopair_interop() works exactly, but I think I got the general
> idea and how to transfer it.

When you configure such a biopair on the network (ciphertext) side of an
SSL handle, the SSL handle is not directly connected to any network
socket.  

Once the is enough data in the write buffer, the biopair is full, and
needs to be drained (read and sent to the peer somehow) by the
application.  Writes to the clear side of the SSL handle then report
SSL_ERROR_WANT_WRITE.

Similarly, when the SSL handle runs of already decrypted data, or
buffered data in the biopair, reads will report SSL_ERROR_WANT_READ.

It is up to you how to move bytes from the biopair to the peer and back.
But of course you need to do so in a timely manner.  In particular on

    - SSL_ERROR_WANT_READ: make sure to send anything already
      available on the write side, the peer may be waiting for that
      before it can respond.  If there's any you can read from the
      peer, do so and push it into the biopair.

    - SSL_ERROR_WANT_WRITE: send already encrypted data to the peer.

The details depend a lot on the application protocol, if it is
half-duplex like SMTP, things may be much easier than in general.
Otherwise, you need non-blocking SSL handles, and ways to know that more
data may be ready, which means also tracking I/O activity on the network
side of the outer SSL tunnel, which could be another biopair, this time
reading/writing to a socket, with epoll() or poll() letting you know
when you may be able to try to push more data into the outer SSL or
to pull more data out.  This takes some care to get right. :-(

-- 
    Viktor.

-- 
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/Z03V5_PSQ0UqvIZi%40chardros.imrryr.org.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux