I'm working at a server that needs to support wss://. The server needs to process the websocket header, to identify the request, and then may decide to pass the SSL context to a worker process. For now, the server uses OpenSSL for SSL comunications, but from my understanding sharing a secure socket between processes is not possible with OpenSSL (tried with SSL_SESSION in parent process and d2i_SSL_SESSION/SSL_CTX_add_session in child process) - reference: http://openssl.6102.n7.nabble.com/How-to-share-SSL-sessions-between-parent-and-child-process-when-doing-fork-exec-td11077.html.
I'm looking to other SSL libraries that may allow this, currently looking at NSS.
Is this possible with any mature open source SSL library?
After a few months of trying to find a way to achieve this with libssl, I decided to make my own TLS implementation. I found no way of implementing this functionality without understanding and modifying libssl (or libressl). I still think is possible, I just didn't find a way. I've implemented a TLS library from scratch and put it on github. Now I have the two needed functions tls_export_context and tls_import_context.
Is this possible with any mature open source SSL library?
I don't think it is possible with any SSL library which is implemented in user-space because then you would continuously need to share the state of a single SSL connection among multiple processes. Contrary to this the state of the underlying TCP connection is managed inside the kernel and there is only a single state even if the same connection is open by parent and child process.
And I don't know of any SSL library which is not implemented in user-space.
Related
I've recently been passed an embedded project where an MCU uses libwebsockets (version 3.1.0) to setup a websockets client. The MCU is connected to a SIMCOM modem for 4g connectivity.
Up until now the communication was non-secured: SSL context not set and modem configured to provide just a TCP link to the server. The server URI was a wss one, but security was not enforced.
I've now been asked to set the communication to use SSL/TLS with server and client authentication.
Having never used libwebsockets before and being short on time, my idea was to:
a) Leave libwebsockets set as it was, so with no SSL context set up.
b) Configure the modem to creat an SSL/TLS context and connect to the server through that one.
I did this and I can see my device sending the request to switch from http to websockets protocol, as well as the server's successful reply (code 101). But my problem is that the server's reply never gets processed by libwebsockets and the connection is dropped after a few seconds.
I can se3 that the bytes that make up the server's reply are received by the modem and passed into the MCU's buffer used to pass data into libwebsockets, but then the library never calls its net_recv method to actually read from such buffer.
Also, libwebsockets is currently built with TLS support and uses mbedTLS as SSL/TLS library. But, as said about, SSL context is currently left disabled (ssl_connection in the connection info struct is left set to 0).
So, I was wondering:
Is my approach something that can work at all? Or should I setup the SSL context from libwebsockets and let the modem setup just a TCP connection?
If I were to setup the SSL context from libwebsockets, is there a way to pass certificates and keys tot the library as just C arrays? Or do I have to have them stored as files on a filesystem and then pass their paths to the lib?
Also, I should add that the MCU has a second connection to the server, an HTTPS one, that one too setup with client and server authentication and that works with no problems at all. Therfore, I'm sure that the modem is correctly configured.
If needed, I will be able to provide more info on library configuration and used from Monday, because I'm currently travelling and don't have access to the code. But I wanted to get the ball rolling.
Thanks in advance for your help.
Yesterday, finally I had time to look at the code again. It turns out that the problem was in my code (this was always a strong possibility).
The local implementation of the net_send had a bug and returned always negative values. Thus, libwebsockets thought that the HTTP request to switch protocol had failed and hence was closing down the connection.
So, to answer the two questions above:
Yes, it's possible to setup libwebsockets to not handle SSL/TLS and then provide a SSL/TLS connection from a lower layer (the modem in my case).
It is possible to store certificates and keys in C arrays of bytes and pass them to libwebsockets if you create a custom platform implementation for your platform and create a custom implementation of POSIX like methods (open, close, read, etc).
By default the library expects to work on a POSIX like filesystem, though. So, realising a custom implementation can be a bit of a job.
The above is true for libwebsockets version 3.1.0. I haven't used any other version of the library, so things might have changed since then.
All in all, I think that configuring libwebsockets to handle SSL and the TLS handshake and then provide it with only a TCP connection is the best way of using the library.
I chose a different strategy for the wrong reasons (tight deadline + not being familiar with the codebase), but I'm definitely planning on reviewing my approach at a later date.
We are using the SIM868E module for connection via GSM, with internal communication over UART.
We need the SIM868E module to communicate with an HTTPS server, (using SSL), however after sending the commands AT+HTTPSSL=?, AT+HTTPSSL=1 or AT+CIPSSL=? the SIM868E module responds:
+CME Error: unknown
(with CMEE level 2).
The specs note that SSL/TLS are supported by this module: (https://simcom.ee/modules/gsm-gprs-gnss/sim868e/).
The firmware on the chip (requested using AT+CGMR) is Revision:1418B02SIM868E32_BLE_EAT.
How can we fix this problem?
According to 2019 SIMCom products catalogue it seems that for SIM868E device there's not support for TLS feature (TLS is the standard name for the SSL protocol).
Just in case the link becomes unreachable, I attach a screenshot of the relevant page of the document:
as you can see, TLS dot is "empty".
Nevertheless, I have to say that SIMCom documents are sometimes contradictory and confusing: in fact in the SIM868E flier claims that the SSL SW feature is supported, but in the SIM800 series AT command manual there's no mention of SSL AT commands.
I will update in case I find any new piece of information about it.
I would honestly avoid trying strange things like flashing the SW of another module. It would be like searching for trouble. And in your case you would lose your positioning capabilities (GPS/GNSS).
Talking about your issue in particular, you'll probably have to compile an SSL library on your host processor (for SSL handshake and data encryption) using the TCP/HTTP commands of your device to transport data to the server. It's not a simple job.
In Hyperledger Fabric we use TLS for secure communication between nodes. So how do I verify/check secure communication between two nodes in HLF after enabling TLS communication?
I have two Fabcar examples, one with TLS enable and one without TLS enabled. so how do I check/verify the result of two codes? I should get the difference in the results of both the codes.
As a simple test you might run wireshark to inspect the packages to the two HLF's where Wireshark should be able to tell you if the traffic is TLS or not, based on the packages.
This link explain some basics to how wireshark detect package types. And here how it detect TLS.
With some strategic filters it should not be a too big of problem to check the specific packages for HLF's. There might even exist some finished filters for this on google.
I'm testing SSL/TLS stream proxying within NGINX that will connect to a web server using gnutls as the underlying TLS API. Using the command line test tool in gnutls (gnutls-serv) the entire process works, but I can't understand the logic:
the NGINX client (proxying HTTP requests from an actual client to the gnutls server) seems to want to handshake the connection multiple times. In fact in most tests it seems to handshake 3 times without error before the server will respond with a test webpage. Using wireshark, or just debugging messages, it looks like the socket on the client side (in the perspective of the gnutls server) is being closed and reopened on different ports. Finally on the successful connection, gnutls uses a resumed sessions, which I imagine is one of the previously mentioned successful handshakes.
I am failing to find any documentation about this sort of behaviour, and am wondering if this is just an 'NGINX thing.'
Though the handshake eventually works with the test programs, it seems kind of wasteful (to have multiple expensive handshakes) and implementing handshake logic in a non-test environment will be tricky without actually understanding what the client is trying to do.
I don't think there are any timeouts or problems happening on the transport, the test environment is a few different VMs on the same subnet connected between 1 switch.
NGINX version is the latest mainline: 1.11.7. I was originally using 1.10.something, and the behaviour was similar though there were more transport errors. Those errors seemed to get cleaned up nicely with upgrading.
Any info or experience from other people is greatly appreciated!
Use either RSA key exchange between NGINX and the backend server or use SSLKEYLOGFILE LD_PRELOAD for NGINX to have the necessary data for Wireshark to decrypt the data.
While a single incoming connection should generate just one outgoing connection, there may be some optimisations in NGINX to fetch common files (favicon.ico, robots.txt).
I have an existing client that is written in ActionScript that I want to completely replace.
Python and Twisted appear to be the ideal candidate. No changes to the server are allowed.
1..What are the possible stumbling blocks?
2..Is it probable that Twisted can be used to create a bit perfect network connection that would be the same as the current client?
The connection is authenticated and uses SSL.
This is too hard to answer without knowing everything about your current client. Try something, and if you have a problem, ask a separate question.
Yes. Twisted doesn't have any restrictions on what kind of network traffic it can create.
Twisted does support SSL out of the box.