Non-blocking SSL handshake

Discussion in 'Ruby' started by Tony Arcieri, Feb 7, 2008.

  1. Tony Arcieri

    Tony Arcieri Guest

    [Note: parts of this message were removed to make it a legal post.]

    Hello. I'm attempting to use SSL within my Fiber-based Actor framework (
    http://revactor.org) and running into problems incorporating SSL.

    As far as I can discern, OpenSSL::SSL::SSLSocket#sysread and #syswrite are
    non-blocking (please correct me if this is wrong) if the socket is in the
    read/write ready state to begin with, which is great.

    However, #connect and #accept, which (I believe) do the SSL handshaking,
    both block.

    Is there any way to do a non-blocking SSL handshake?

    --
    Tony Arcieri
    ClickCaster, Inc.
     
    Tony Arcieri, Feb 7, 2008
    #1
    1. Advertising

  2. Tony Arcieri

    Tony Arcieri Guest

    [Note: parts of this message were removed to make it a legal post.]

    After investigating the issue some more, it appears that this is impossible
    without a C extension.

    The ossl_start_ssl() function in ossl_ssl.c, which is used by both
    OpenSSL::SSL::SSLSocket#connect and #accept, contains a loop which calls
    SSL_connect() or SSL_accept() repeatedly. If either of these functions
    needs the socket to be in a readable or writable state,
    rb_io_wait_readable() or rb_io_wait_writable() is called, blocking the
    application.

    Has there been any consideration as to adding something like
    OpenSSL::SSL::SSLSocket#connect_nonblock and #accept_nonblock to go along
    with Socket#connect_nonblock and Socket#accept_nonblock?

    --
    Tony Arcieri
    ClickCaster, Inc.
     
    Tony Arcieri, Feb 7, 2008
    #2
    1. Advertising

  3. Tony Arcieri

    MenTaLguY Guest

    On Fri, 8 Feb 2008 05:38:57 +0900, "Tony Arcieri" <> wrote:
    > Has there been any consideration as to adding something like
    > OpenSSL::SSL::SSLSocket#connect_nonblock and #accept_nonblock to go along
    > with Socket#connect_nonblock and Socket#accept_nonblock?


    I would favor this solution myself.

    -mental
     
    MenTaLguY, Feb 7, 2008
    #3
  4. Tony Arcieri

    Tony Arcieri Guest

    [Note: parts of this message were removed to make it a legal post.]

    On Feb 7, 2008 1:48 PM, MenTaLguY <> wrote:

    > On Fri, 8 Feb 2008 05:38:57 +0900, "Tony Arcieri" <>
    > wrote:
    > > Has there been any consideration as to adding something like
    > > OpenSSL::SSL::SSLSocket#connect_nonblock and #accept_nonblock to go

    > along
    > > with Socket#connect_nonblock and Socket#accept_nonblock?

    >
    > I would favor this solution myself.
    >
    > -mental
    >


    Well, I managed to create a subclass of OpenSSL::SSL::SSLSocket in a C
    extension which implements #connect_nonblock and #accept_nonblock. It was
    quite a hack: #connect and #accept both call the static C function
    ossl_ssl_setup(), which for whatever reason is not called from #initialize.

    I managed to do it by finding a third method, #session=, which also calls
    ossl_ssl_setup(). I couldn't really figure out what this is for... there's
    a whole OpenSSL::SSL::Session class defined in ossl_ssl_session.c, but the
    Init function for this file is never called, so while it's linked into the
    OpenSSL C extension, it's not accessible in the Ruby environment.

    I fed #session= a bogus parameter (nil), and fortunately the method calls
    ossl_ssl_setup() before doing any typechecking on its arguments. This meant
    I could catch the exception it threw due to the bogus argument, but
    ossl_ssl_setup() was still called.

    Changing the ossl_start_ssl() function that #connect and #accept call into a
    non-blocking one was pretty trivial: I just had it raise exceptions for when
    it needed more data to complete the connection, rather than calling
    rb_io_wait_readable() / rb_io_wait_writable(). If there's any interest I
    can contribute the code back to the OpenSSL extension, but since it's so
    trivial I'd encourage someone on the OpenSSL team to implement it
    themselves.

    --
    Tony Arcieri
    ClickCaster, Inc.
     
    Tony Arcieri, Feb 8, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jakekeke
    Replies:
    0
    Views:
    513
    Jakekeke
    Oct 19, 2004
  2. Replies:
    3
    Views:
    443
  3. Replies:
    0
    Views:
    705
  4. G. Garrett Campbell

    ssl handshake error

    G. Garrett Campbell, Feb 28, 2008, in forum: Java
    Replies:
    3
    Views:
    833
  5. Ovidiu Deac

    debugging ssl handshake failure

    Ovidiu Deac, Mar 19, 2012, in forum: Python
    Replies:
    0
    Views:
    336
    Ovidiu Deac
    Mar 19, 2012
Loading...

Share This Page