This question already has an answer here:
Pass connected SSL Socket to another Process
(1 answer)
Closed 5 years ago.
The first process will receive and send some data (to complete the authentication) after accept a sslsocket, then send the sslsocket to another process.
I know that multiprocessing.reduction.send_handle can send socket, but it didn't work with sslsocket.
Please help.
This is not possible.
SSL sockets in Python are implemented using OpenSSL. For each SSL socket in python there is a user space state managed by OpenSSL. Transferring a SSL socket to another process would need this internal SSL state to be transferred too. But, Python has no direct access to this state because it only uses the OpenSSL library with the Libraries API and thus can not transfer it.
Related
I've recently been passed an embedded project where an MCU uses libwebsockets (version 3.1.0) to setup a websockets client. The MCU is connected to a SIMCOM modem for 4g connectivity.
Up until now the communication was non-secured: SSL context not set and modem configured to provide just a TCP link to the server. The server URI was a wss one, but security was not enforced.
I've now been asked to set the communication to use SSL/TLS with server and client authentication.
Having never used libwebsockets before and being short on time, my idea was to:
a) Leave libwebsockets set as it was, so with no SSL context set up.
b) Configure the modem to creat an SSL/TLS context and connect to the server through that one.
I did this and I can see my device sending the request to switch from http to websockets protocol, as well as the server's successful reply (code 101). But my problem is that the server's reply never gets processed by libwebsockets and the connection is dropped after a few seconds.
I can se3 that the bytes that make up the server's reply are received by the modem and passed into the MCU's buffer used to pass data into libwebsockets, but then the library never calls its net_recv method to actually read from such buffer.
Also, libwebsockets is currently built with TLS support and uses mbedTLS as SSL/TLS library. But, as said about, SSL context is currently left disabled (ssl_connection in the connection info struct is left set to 0).
So, I was wondering:
Is my approach something that can work at all? Or should I setup the SSL context from libwebsockets and let the modem setup just a TCP connection?
If I were to setup the SSL context from libwebsockets, is there a way to pass certificates and keys tot the library as just C arrays? Or do I have to have them stored as files on a filesystem and then pass their paths to the lib?
Also, I should add that the MCU has a second connection to the server, an HTTPS one, that one too setup with client and server authentication and that works with no problems at all. Therfore, I'm sure that the modem is correctly configured.
If needed, I will be able to provide more info on library configuration and used from Monday, because I'm currently travelling and don't have access to the code. But I wanted to get the ball rolling.
Thanks in advance for your help.
Yesterday, finally I had time to look at the code again. It turns out that the problem was in my code (this was always a strong possibility).
The local implementation of the net_send had a bug and returned always negative values. Thus, libwebsockets thought that the HTTP request to switch protocol had failed and hence was closing down the connection.
So, to answer the two questions above:
Yes, it's possible to setup libwebsockets to not handle SSL/TLS and then provide a SSL/TLS connection from a lower layer (the modem in my case).
It is possible to store certificates and keys in C arrays of bytes and pass them to libwebsockets if you create a custom platform implementation for your platform and create a custom implementation of POSIX like methods (open, close, read, etc).
By default the library expects to work on a POSIX like filesystem, though. So, realising a custom implementation can be a bit of a job.
The above is true for libwebsockets version 3.1.0. I haven't used any other version of the library, so things might have changed since then.
All in all, I think that configuring libwebsockets to handle SSL and the TLS handshake and then provide it with only a TCP connection is the best way of using the library.
I chose a different strategy for the wrong reasons (tight deadline + not being familiar with the codebase), but I'm definitely planning on reviewing my approach at a later date.
I am currently learning about networks and network security. As an exercise I created an application similar to Apple's AirDrop. Like AirDrop my application discovers peers (yet only in the same wifi network) and establishes a connection to share files. It all works great, however my application relies on a plain TCP connection and transferred data is not encrypted!! From some research I learned that AirDrop uses TLS to encrypt data.
My Question is, how is this possible in a peer to peer network connection? Doesn't TLS require a certificate issued by a CA? Does that mean that whenever a user activates AirDrop a certificate must be created?
How would one incorporate TLS in such an application where you could be the client (when accepting a file) or be the server (when sharing a file)?
I'm testing SSL/TLS stream proxying within NGINX that will connect to a web server using gnutls as the underlying TLS API. Using the command line test tool in gnutls (gnutls-serv) the entire process works, but I can't understand the logic:
the NGINX client (proxying HTTP requests from an actual client to the gnutls server) seems to want to handshake the connection multiple times. In fact in most tests it seems to handshake 3 times without error before the server will respond with a test webpage. Using wireshark, or just debugging messages, it looks like the socket on the client side (in the perspective of the gnutls server) is being closed and reopened on different ports. Finally on the successful connection, gnutls uses a resumed sessions, which I imagine is one of the previously mentioned successful handshakes.
I am failing to find any documentation about this sort of behaviour, and am wondering if this is just an 'NGINX thing.'
Though the handshake eventually works with the test programs, it seems kind of wasteful (to have multiple expensive handshakes) and implementing handshake logic in a non-test environment will be tricky without actually understanding what the client is trying to do.
I don't think there are any timeouts or problems happening on the transport, the test environment is a few different VMs on the same subnet connected between 1 switch.
NGINX version is the latest mainline: 1.11.7. I was originally using 1.10.something, and the behaviour was similar though there were more transport errors. Those errors seemed to get cleaned up nicely with upgrading.
Any info or experience from other people is greatly appreciated!
Use either RSA key exchange between NGINX and the backend server or use SSLKEYLOGFILE LD_PRELOAD for NGINX to have the necessary data for Wireshark to decrypt the data.
While a single incoming connection should generate just one outgoing connection, there may be some optimisations in NGINX to fetch common files (favicon.ico, robots.txt).
I'm working at a server that needs to support wss://. The server needs to process the websocket header, to identify the request, and then may decide to pass the SSL context to a worker process. For now, the server uses OpenSSL for SSL comunications, but from my understanding sharing a secure socket between processes is not possible with OpenSSL (tried with SSL_SESSION in parent process and d2i_SSL_SESSION/SSL_CTX_add_session in child process) - reference: http://openssl.6102.n7.nabble.com/How-to-share-SSL-sessions-between-parent-and-child-process-when-doing-fork-exec-td11077.html.
I'm looking to other SSL libraries that may allow this, currently looking at NSS.
Is this possible with any mature open source SSL library?
After a few months of trying to find a way to achieve this with libssl, I decided to make my own TLS implementation. I found no way of implementing this functionality without understanding and modifying libssl (or libressl). I still think is possible, I just didn't find a way. I've implemented a TLS library from scratch and put it on github. Now I have the two needed functions tls_export_context and tls_import_context.
Is this possible with any mature open source SSL library?
I don't think it is possible with any SSL library which is implemented in user-space because then you would continuously need to share the state of a single SSL connection among multiple processes. Contrary to this the state of the underlying TCP connection is managed inside the kernel and there is only a single state even if the same connection is open by parent and child process.
And I don't know of any SSL library which is not implemented in user-space.
This question already has answers here:
Where can I find a good tutorial on iPhone/Objective-C multithreading? [closed]
(5 answers)
Closed 9 years ago.
I am working on writing a simple Redis client application in Objective-C. In order to communicate with Redis on my server I need to SSH into the server and then open a TCP socket to send data back and forth. I am trying to follow an example from libssh2.org, direct_tcpip.c and I have gotten it to work well. I can run the code, and it will say:
Waiting for TCP connection on... 0.0.0.0:6379
So I then try to communicate with it using telnet:
telnet 0.0.0.0 6379
I can successfully connect and interact with Redis this way, YES!
Now the next step is for me to be able to programmatically talk to the server and send it commands from the UI of my app, but the program gets blocked when I call accept() and is stuck waiting for a connection to come in. That's a problem because I need to programmatically connect TO it and I can't seem to figure out how to do that.
I tried calling libssh2_session_set_blocking(session, 0); before accept(), but that didn't seem to change anything.
My goal is to set up the forwarding so that my app can communicate with a remote Redis server as easily as possible and I am totally new to socket programming. I need an SSH tunnel because Redis does not have built-in security and it is recommended that you communicate with it internally.
Thank you to anyone who can point me in the right direction!
The comment posted by #Danack solved the problem for me. I am using a background thread to do the listening and now I am no longer blocked and connecting just fine.