Pure Perl OpenSSL Library

M

Marc

Hi,

I'm developping a software that needs to act as a Certificate
Authority. I must use Perl for this.
I would like to avoid forking at each certificate request as there will
be several requests within seconds. The problem is that every SSL
modules I can find for Perl are using the openssl command line.

Can someone point me to/give me the name of a projet that has (even if
not complete) a pure Perl/C OpenSSL library?

I would be very surprised if no such project exist...but who knows? :)

Marc
 
B

Big and Blue

Marc said:
I'm developping a software that needs to act as a Certificate
Authority. I must use Perl for this.

An odd pre-requisite if it stops you achieving your actual goal.
I would like to avoid forking at each certificate request as there will
be several requests within seconds. The problem is that every SSL
modules I can find for Perl are using the openssl command line.

My suspicion is that if you are worried about the cost of forking then
you're looking at the wrong thing. I assume you are intending that this
system be generating certificates? If so, then the resources for that (in
particular its random/prime number generating) will make any forking
resource demands pale into insignificance.
Can someone point me to/give me the name of a projet that has (even if
not complete) a pure Perl/C OpenSSL library?

I would be very surprised if no such project exist...but who knows? :)

Why would you be surprised? Perhaps others see that it would be a lot
of work for almost no gain? The openssl command already exists. Perl has
adequate ways to run external commands.
 
M

Marc

Big and Blue said:
An odd pre-requisite if it stops you achieving your actual goal.

This will be behind an Apache server. I first wrote the test system
using Python, but Perl is widely used here, so I must use it ;)
My suspicion is that if you are worried about the cost of forking
then you're looking at the wrong thing. I assume you are intending
that this system be generating certificates? If so, then the
resources for that (in particular its random/prime number generating)
will make any forking resource demands pale into insignificance.

You are right. But if I just want to get some some field from the
certificates, forking is a bit heavy for this... But I will investigate
this. Thanks for the remark ;)
Why would you be surprised? Perhaps others see that it would be a
lot of work for almost no gain? The openssl command already exists.
Perl has adequate ways to run external commands.

Yes, but if you read the openssl manual, you will se that this is some
sort of 'demo' tool not intended to but used for a CA... It is not
locking the cert db, return status not very easy to use in script (must
read stderr to see if the certificate has been added for example)... I
know this is possible and projects are using this, but this is not as
clean as a pure perl solution... I thought maybe someone did such a
lib, as it is possible to find all sort of thing in Perl... why not?

Thanks,

Marc
 
B

Big and Blue

Marc said:
This will be behind an Apache server. I first wrote the test system
using Python, but Perl is widely used here, so I must use it ;)

You missed my point. Perl is an option, not a requirement.
.....
You are right. But if I just want to get some some field from the
certificates, forking is a bit heavy for this... But I will investigate
this. Thanks for the remark ;)

Forking isn't *that* heavy. However, modules such as IO::Socket::SSL
do certificate verification, so perhaps you could look through that to see
how it does it? Presumably to verify it it must look at the certificate
fields.
Yes, but if you read the openssl manual, you will se that this is some
sort of 'demo' tool not intended to but used for a CA...

You could make it so with a little work....
It is not
locking the cert db,

So, write a simple Perl module which does this before calling openssl....
return status not very easy to use in script (must
read stderr to see if the certificate has been added for example)

...and which then parses stderr and returns the status.
I thought maybe someone did such a
lib, as it is possible to find all sort of thing in Perl... why not?

Waiting for someone to do it? Are you volunteering?
 
M

Marc

Big and Blue said:
You missed my point. Perl is an option, not a requirement.

Yes and no. If I want to make some script with apache and use some
languages used in my "team", there's not much left ;)
Forking isn't *that* heavy. However, modules such as
IO::Socket::SSL do certificate verification, so perhaps you could look
through that to see how it does it? Presumably to verify it it must
look at the certificate fields.

My system will receive burst of thousand and more request within short
period (seconds/minutes), so I want to avoid forks as much as possible.
So, write a simple Perl module which does this before calling openssl....
...and which then parses stderr and returns the status.

I'm already doing this. But for example, if openssl returned something
else than 0 when there is a problem, it would be easier than parse
undocumented output from stderr ;)
Waiting for someone to do it? Are you volunteering?

Not waiting for someone to do it, asking if someone knows about this
sort a project. I'm afraid I'm not skilled enougth in Perl and don't
have time for writing such a thing, so I'll use what's already existing.


Thanks,
Marc
 
B

Big and Blue

Marc said:
My system will receive burst of thousand and more request within short
period (seconds/minutes), so I want to avoid forks as much as possible.

Requests for what? I presume you aren't going to be creating/issuing
thousands of certificates within minutes.

If you are trying to validate an "incoming" SSL cerrtificate in Apache
you should use mod_ssl. But what are you actually trying to do?
 
M

Marc

Big and Blue said:
Requests for what? I presume you aren't going to be
creating/issuing thousands of certificates within minutes.

Yes, I will.
If you are trying to validate an "incoming" SSL cerrtificate in
Apache you should use mod_ssl. But what are you actually trying to do?

Already using that ;)

I'm writing a system that will be able to identify node's clusters, so I
will have lots and lots certificate requests at startup, then only https
requests, handled by mod_ssl.

Marc
 
B

Big and Blue

Marc said:
Yes, I will.

You will be *creating* thousands of certificates within minutes!? Why?
I'm writing a system that will be able to identify node's clusters, so I
will have lots and lots certificate requests at startup, then only https
requests, handled by mod_ssl.

Sorry - you've lost me (or rather, you haven't found me yet...).

a) What is starting up?
b) What type of certificate requests are these?

Are these "node's clusters" sending certificates for validation?
(mod_ssl can do that).
 
M

Marc

Big and Blue said:
You will be *creating* thousands of certificates within minutes!? Why?

Because I have thousands nodes that needs a certificate
Sorry - you've lost me (or rather, you haven't found me yet...).

a) What is starting up?

The nodes
b) What type of certificate requests are these?

certificate request created with openssl (first generate a key, then you
can create a certificate request).
Are these "node's clusters" sending certificates for validation?
(mod_ssl can do that).

Yes they are, but the bottleneck is the step just before this one. The
node needs a certificate if it wants to send it, right? So how do I
provide theses thousand certificates?

As soon as the nodes have their certificate, this is easy (some
configuration in apache); this is already working.

I was just looking for the fastest way to run a script that can make
some checks (I won't issu certificates for every request) and from a
certificate request, issu a signed certificate. That's all.

I first tried python because I know this language. Everybody uses Perl
here, and they want to be able to read my soft after I'm gone, so I'm
moving to Perl.

If you have better idea, let me know.


Marc
 
B

Big and Blue

Marc said:
Because I have thousands nodes that needs a certificate

But not new ones at each startup, surely?

Yes they are, but the bottleneck is the step just before this one. The
node needs a certificate if it wants to send it, right? So how do I
provide theses thousand certificates?

Create them once, save them on each node and get each node to use its
saved one when it starts.
I was just looking for the fastest way to run a script that can make
some checks (I won't issu certificates for every request) and from a
certificate request, issu a signed certificate. That's all.

So get the client to save it and resuse it for some time (you can set
your own expiry date...).
 
M

Marc

Big and Blue said:
But not new ones at each startup, surely?

Of course, only at first startup (just after installation).
Create them once, save them on each node and get each node to use
its saved one when it starts.

So get the client to save it and resuse it for some time (you can
set your own expiry date...).

The first problem is still there (but now, maybe you understood what I
meant). When I'll install thousand of nodes (one cluster), all nodes
will request their certificates within minutes, so I must avoid as much
as possible heavy tasks that can be avoided.
I can't avoid the maths behind the crypto, but I can avoid fork when
they are not needed.

Marc
 
I

Ilya Zakharevich

[A complimentary Cc of this posting was sent to
Marc
I can't avoid the maths behind the crypto, but I can avoid fork when
they are not needed.

AFAIK, openssl executable is just a tiny wrapper about openSSL
libraries. Are these libraries dynamically linked on your target
platforms? If yes, why not call these entry points from Perl?

Yours,
Ilya
 
M

Marc

Ilya Zakharevich said:
[A complimentary Cc of this posting was sent to
Marc
I can't avoid the maths behind the crypto, but I can avoid fork when
they are not needed.

AFAIK, openssl executable is just a tiny wrapper about openSSL
libraries. Are these libraries dynamically linked on your target
platforms? If yes, why not call these entry points from Perl?

yes openssl executable is just a tool that uses directly the lib,
without much addition (I think). I will take a look at the internals and
see it is feasable or not.

Marc
 
B

Big and Blue

Marc said:
The first problem is still there (but now, maybe you understood what I
meant). When I'll install thousand of nodes (one cluster), all nodes
will request their certificates within minutes, so I must avoid as much
as possible heavy tasks that can be avoided.

So, pre-create a certificate for each node on the server. Then when
the request comes in you just need to return the file. Look upon it as a
cache. When a request comes in you look in there for a file with the
requesting system's name (or address - some distinguishing element). If it
is there return the file, if it isn't *then* create one and put it in the
cache.

Before you turn on the nodes let the server run for a while creating a
thoudand or so certificates.
I can't avoid the maths behind the crypto, but I can avoid fork when
they are not needed.

But one way to avoid a fork() now is to have done it earlier, at leisure.
 
M

Marc

Big and Blue said:
So, pre-create a certificate for each node on the server. Then
when the request comes in you just need to return the file. Look upon
it as a cache. When a request comes in you look in there for a file
with the requesting system's name (or address - some distinguishing
element). If it is there return the file, if it isn't *then* create
one and put it in the cache.

I thought of this but as a side effect, I can have certificate that are
not used (for example, if one machine is broken...).
Second point, is that if I want to generate certificate _before_ nodes'
installations, server will also need to generate private keys. I don't
want to have a repository with all private keys inside. Your cache
system will make the private keys to be duplicated (one copy on the
central server, one copy (possibly) on a node).
Before you turn on the nodes let the server run for a while
creating a thoudand or so certificates.


But one way to avoid a fork() now is to have done it earlier, at leisure.

True, but you it can add complexity to security handling... I am still
in the 'study' part, I'm writing a test system, and I'll be able to see
where the real bottleneck (if one) is ;)

Marc
 
B

Big and Blue

Marc said:
I thought of this but as a side effect, I can have certificate that are
not used (for example, if one machine is broken...).

How is that a problem, apart from a small "waste" of filespace?
Second point, is that if I want to generate certificate _before_ nodes'
installations, server will also need to generate private keys.

It will need to do this anyway. Do you mean it will have to store them?
I don't
want to have a repository with all private keys inside.

Why not?
Your cache
system will make the private keys to be duplicated (one copy on the
central server, one copy (possibly) on a node).

You can delete them once a node has "collected" its keys, if you wish.

I am still
in the 'study' part, I'm writing a test system, and I'll be able to see
where the real bottleneck (if one) is ;)

Probably find it is in writing this thread!
 
M

Marc

Big and Blue said:
How is that a problem, apart from a small "waste" of filespace?

Yes, it should not be a problem. But having keys to some restricted
area, that are not used, should be avoided, I think.
It will need to do this anyway. Do you mean it will have to store them?

No, the key generation is done on the node, not on the server. This way,
I avoid some computing on the server, I avoid having the keys copied in
two locations, and I avoid having to transfer a private thing across
network (even if it is https...)

Don't feel like doing it. If there is no other way, or this one is
really better than anything else, I will, but for the moment, I'll try
to make the system simpler as possible
You can delete them once a node has "collected" its keys, if you wish.
True...



Probably find it is in writing this thread!

Ok, so this will be my last answer in this thread!

Thanks for giving me your ideas/point of view. I don't think I will
write a pure SSL library, but if I do, I'll let you know ;)

Marc
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top