Pure Perl OpenSSL Library

Discussion in 'Perl Misc' started by Marc, Feb 25, 2005.

  1. Marc

    Marc Guest

    Hi,

    I'm developping a software that needs to act as a Certificate
    Authority. I must use Perl for this.
    I would like to avoid forking at each certificate request as there will
    be several requests within seconds. The problem is that every SSL
    modules I can find for Perl are using the openssl command line.

    Can someone point me to/give me the name of a projet that has (even if
    not complete) a pure Perl/C OpenSSL library?

    I would be very surprised if no such project exist...but who knows? :)

    Marc
     
    Marc, Feb 25, 2005
    #1
    1. Advertising

  2. Marc

    Big and Blue Guest

    Marc wrote:
    >
    > I'm developping a software that needs to act as a Certificate
    > Authority. I must use Perl for this.


    An odd pre-requisite if it stops you achieving your actual goal.

    > I would like to avoid forking at each certificate request as there will
    > be several requests within seconds. The problem is that every SSL
    > modules I can find for Perl are using the openssl command line.


    My suspicion is that if you are worried about the cost of forking then
    you're looking at the wrong thing. I assume you are intending that this
    system be generating certificates? If so, then the resources for that (in
    particular its random/prime number generating) will make any forking
    resource demands pale into insignificance.

    > Can someone point me to/give me the name of a projet that has (even if
    > not complete) a pure Perl/C OpenSSL library?
    >
    > I would be very surprised if no such project exist...but who knows? :)


    Why would you be surprised? Perhaps others see that it would be a lot
    of work for almost no gain? The openssl command already exists. Perl has
    adequate ways to run external commands.


    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Feb 26, 2005
    #2
    1. Advertising

  3. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    > >
    >> I'm developping a software that needs to act as a Certificate
    >> Authority. I must use Perl for this.

    >
    > An odd pre-requisite if it stops you achieving your actual goal.


    This will be behind an Apache server. I first wrote the test system
    using Python, but Perl is widely used here, so I must use it ;)

    >> I would like to avoid forking at each certificate request as there will
    >> be several requests within seconds. The problem is that every SSL
    >> modules I can find for Perl are using the openssl command line.

    >
    > My suspicion is that if you are worried about the cost of forking
    > then you're looking at the wrong thing. I assume you are intending
    > that this system be generating certificates? If so, then the
    > resources for that (in particular its random/prime number generating)
    > will make any forking resource demands pale into insignificance.


    You are right. But if I just want to get some some field from the
    certificates, forking is a bit heavy for this... But I will investigate
    this. Thanks for the remark ;)

    >> Can someone point me to/give me the name of a projet that has (even if
    >> not complete) a pure Perl/C OpenSSL library?
    >> I would be very surprised if no such project exist...but who knows?
    >> :)

    >
    > Why would you be surprised? Perhaps others see that it would be a
    > lot of work for almost no gain? The openssl command already exists.
    > Perl has adequate ways to run external commands.


    Yes, but if you read the openssl manual, you will se that this is some
    sort of 'demo' tool not intended to but used for a CA... It is not
    locking the cert db, return status not very easy to use in script (must
    read stderr to see if the certificate has been added for example)... I
    know this is possible and projects are using this, but this is not as
    clean as a pure perl solution... I thought maybe someone did such a
    lib, as it is possible to find all sort of thing in Perl... why not?

    Thanks,

    Marc
     
    Marc, Feb 26, 2005
    #3
  4. Marc

    Big and Blue Guest

    Marc wrote:
    >
    > This will be behind an Apache server. I first wrote the test system
    > using Python, but Perl is widely used here, so I must use it ;)


    You missed my point. Perl is an option, not a requirement.

    >> My suspicion is that if you are worried about the cost of forking
    >>then you're looking at the wrong thing.

    >.....
    > You are right. But if I just want to get some some field from the
    > certificates, forking is a bit heavy for this... But I will investigate
    > this. Thanks for the remark ;)


    Forking isn't *that* heavy. However, modules such as IO::Socket::SSL
    do certificate verification, so perhaps you could look through that to see
    how it does it? Presumably to verify it it must look at the certificate
    fields.

    >
    > Yes, but if you read the openssl manual, you will se that this is some
    > sort of 'demo' tool not intended to but used for a CA...


    You could make it so with a little work....

    > It is not
    > locking the cert db,


    So, write a simple Perl module which does this before calling openssl....

    > return status not very easy to use in script (must
    > read stderr to see if the certificate has been added for example)


    ...and which then parses stderr and returns the status.

    > I thought maybe someone did such a
    > lib, as it is possible to find all sort of thing in Perl... why not?


    Waiting for someone to do it? Are you volunteering?


    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Feb 26, 2005
    #4
  5. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    > >
    >> This will be behind an Apache server. I first wrote the test system
    >> using Python, but Perl is widely used here, so I must use it ;)

    >
    > You missed my point. Perl is an option, not a requirement.


    Yes and no. If I want to make some script with apache and use some
    languages used in my "team", there's not much left ;)

    >>> My suspicion is that if you are worried about the cost of forking
    >>>then you're looking at the wrong thing.

    >> ..... You are right. But if I just want to get some some field from
    >> the
    >> certificates, forking is a bit heavy for this... But I will investigate
    >> this. Thanks for the remark ;)

    >
    > Forking isn't *that* heavy. However, modules such as
    > IO::Socket::SSL do certificate verification, so perhaps you could look
    > through that to see how it does it? Presumably to verify it it must
    > look at the certificate fields.


    My system will receive burst of thousand and more request within short
    period (seconds/minutes), so I want to avoid forks as much as possible.

    > So, write a simple Perl module which does this before calling openssl....
    > ...and which then parses stderr and returns the status.


    I'm already doing this. But for example, if openssl returned something
    else than 0 when there is a problem, it would be easier than parse
    undocumented output from stderr ;)

    > Waiting for someone to do it? Are you volunteering?


    Not waiting for someone to do it, asking if someone knows about this
    sort a project. I'm afraid I'm not skilled enougth in Perl and don't
    have time for writing such a thing, so I'll use what's already existing.


    Thanks,
    Marc
     
    Marc, Feb 27, 2005
    #5
  6. Marc

    Big and Blue Guest

    Marc wrote:
    >>

    > My system will receive burst of thousand and more request within short
    > period (seconds/minutes), so I want to avoid forks as much as possible.


    Requests for what? I presume you aren't going to be creating/issuing
    thousands of certificates within minutes.

    If you are trying to validate an "incoming" SSL cerrtificate in Apache
    you should use mod_ssl. But what are you actually trying to do?

    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Feb 28, 2005
    #6
  7. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    >>>

    >> My system will receive burst of thousand and more request within short
    >> period (seconds/minutes), so I want to avoid forks as much as possible.

    >
    > Requests for what? I presume you aren't going to be
    > creating/issuing thousands of certificates within minutes.


    Yes, I will.

    > If you are trying to validate an "incoming" SSL cerrtificate in
    > Apache you should use mod_ssl. But what are you actually trying to do?


    Already using that ;)

    I'm writing a system that will be able to identify node's clusters, so I
    will have lots and lots certificate requests at startup, then only https
    requests, handled by mod_ssl.

    Marc
     
    Marc, Feb 28, 2005
    #7
  8. Marc

    Big and Blue Guest

    Marc wrote:
    >
    >> Requests for what? I presume you aren't going to be
    >>creating/issuing thousands of certificates within minutes.

    >
    > Yes, I will.


    You will be *creating* thousands of certificates within minutes!? Why?

    > I'm writing a system that will be able to identify node's clusters, so I
    > will have lots and lots certificate requests at startup, then only https
    > requests, handled by mod_ssl.


    Sorry - you've lost me (or rather, you haven't found me yet...).

    a) What is starting up?
    b) What type of certificate requests are these?

    Are these "node's clusters" sending certificates for validation?
    (mod_ssl can do that).


    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Mar 1, 2005
    #8
  9. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    >>
    >>> Requests for what? I presume you aren't going to be
    >>>creating/issuing thousands of certificates within minutes.

    >> Yes, I will.

    >
    > You will be *creating* thousands of certificates within minutes!? Why?


    Because I have thousands nodes that needs a certificate

    >> I'm writing a system that will be able to identify node's clusters, so I
    >> will have lots and lots certificate requests at startup, then only https
    >> requests, handled by mod_ssl.

    >
    > Sorry - you've lost me (or rather, you haven't found me yet...).
    >
    > a) What is starting up?


    The nodes

    > b) What type of certificate requests are these?


    certificate request created with openssl (first generate a key, then you
    can create a certificate request).

    > Are these "node's clusters" sending certificates for validation?
    > (mod_ssl can do that).


    Yes they are, but the bottleneck is the step just before this one. The
    node needs a certificate if it wants to send it, right? So how do I
    provide theses thousand certificates?

    As soon as the nodes have their certificate, this is easy (some
    configuration in apache); this is already working.

    I was just looking for the fastest way to run a script that can make
    some checks (I won't issu certificates for every request) and from a
    certificate request, issu a signed certificate. That's all.

    I first tried python because I know this language. Everybody uses Perl
    here, and they want to be able to read my soft after I'm gone, so I'm
    moving to Perl.

    If you have better idea, let me know.


    Marc
     
    Marc, Mar 1, 2005
    #9
  10. Marc

    Big and Blue Guest

    Marc wrote:
    >
    >> You will be *creating* thousands of certificates within minutes!? Why?

    >
    > Because I have thousands nodes that needs a certificate


    But not new ones at each startup, surely?


    > Yes they are, but the bottleneck is the step just before this one. The
    > node needs a certificate if it wants to send it, right? So how do I
    > provide theses thousand certificates?


    Create them once, save them on each node and get each node to use its
    saved one when it starts.

    > I was just looking for the fastest way to run a script that can make
    > some checks (I won't issu certificates for every request) and from a
    > certificate request, issu a signed certificate. That's all.


    So get the client to save it and resuse it for some time (you can set
    your own expiry date...).

    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Mar 2, 2005
    #10
  11. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    >>
    >>> You will be *creating* thousands of certificates within
    >>> minutes!? Why?

    >> Because I have thousands nodes that needs a certificate

    >
    > But not new ones at each startup, surely?


    Of course, only at first startup (just after installation).

    >> Yes they are, but the bottleneck is the step just before this one. The
    >> node needs a certificate if it wants to send it, right? So how do I
    >> provide theses thousand certificates?

    >
    > Create them once, save them on each node and get each node to use
    > its saved one when it starts.
    >> I was just looking for the fastest way to run a script that can make
    >> some checks (I won't issu certificates for every request) and from a
    >> certificate request, issu a signed certificate. That's all.

    >
    > So get the client to save it and resuse it for some time (you can
    > set your own expiry date...).


    The first problem is still there (but now, maybe you understood what I
    meant). When I'll install thousand of nodes (one cluster), all nodes
    will request their certificates within minutes, so I must avoid as much
    as possible heavy tasks that can be avoided.
    I can't avoid the maths behind the crypto, but I can avoid fork when
    they are not needed.

    Marc
     
    Marc, Mar 2, 2005
    #11
  12. [A complimentary Cc of this posting was sent to
    Marc
    <>], who wrote in article <>:
    > I can't avoid the maths behind the crypto, but I can avoid fork when
    > they are not needed.


    AFAIK, openssl executable is just a tiny wrapper about openSSL
    libraries. Are these libraries dynamically linked on your target
    platforms? If yes, why not call these entry points from Perl?

    Yours,
    Ilya
     
    Ilya Zakharevich, Mar 2, 2005
    #12
  13. Marc

    Marc Guest

    Ilya Zakharevich <> writes:

    > [A complimentary Cc of this posting was sent to
    > Marc
    > <>], who wrote in article <>:
    >> I can't avoid the maths behind the crypto, but I can avoid fork when
    >> they are not needed.

    >
    > AFAIK, openssl executable is just a tiny wrapper about openSSL
    > libraries. Are these libraries dynamically linked on your target
    > platforms? If yes, why not call these entry points from Perl?


    yes openssl executable is just a tool that uses directly the lib,
    without much addition (I think). I will take a look at the internals and
    see it is feasable or not.

    Marc
     
    Marc, Mar 2, 2005
    #13
  14. Marc

    Big and Blue Guest

    Marc wrote:
    >
    > The first problem is still there (but now, maybe you understood what I
    > meant). When I'll install thousand of nodes (one cluster), all nodes
    > will request their certificates within minutes, so I must avoid as much
    > as possible heavy tasks that can be avoided.


    So, pre-create a certificate for each node on the server. Then when
    the request comes in you just need to return the file. Look upon it as a
    cache. When a request comes in you look in there for a file with the
    requesting system's name (or address - some distinguishing element). If it
    is there return the file, if it isn't *then* create one and put it in the
    cache.

    Before you turn on the nodes let the server run for a while creating a
    thoudand or so certificates.

    > I can't avoid the maths behind the crypto, but I can avoid fork when
    > they are not needed.


    But one way to avoid a fork() now is to have done it earlier, at leisure.

    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Mar 2, 2005
    #14
  15. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    >> The first problem is still there (but now, maybe you understood what
    >> I
    >> meant). When I'll install thousand of nodes (one cluster), all nodes
    >> will request their certificates within minutes, so I must avoid as much
    >> as possible heavy tasks that can be avoided.

    >
    > So, pre-create a certificate for each node on the server. Then
    > when the request comes in you just need to return the file. Look upon
    > it as a cache. When a request comes in you look in there for a file
    > with the requesting system's name (or address - some distinguishing
    > element). If it is there return the file, if it isn't *then* create
    > one and put it in the cache.


    I thought of this but as a side effect, I can have certificate that are
    not used (for example, if one machine is broken...).
    Second point, is that if I want to generate certificate _before_ nodes'
    installations, server will also need to generate private keys. I don't
    want to have a repository with all private keys inside. Your cache
    system will make the private keys to be duplicated (one copy on the
    central server, one copy (possibly) on a node).

    > Before you turn on the nodes let the server run for a while
    > creating a thoudand or so certificates.
    >
    >> I can't avoid the maths behind the crypto, but I can avoid fork when
    >> they are not needed.

    >
    > But one way to avoid a fork() now is to have done it earlier, at leisure.


    True, but you it can add complexity to security handling... I am still
    in the 'study' part, I'm writing a test system, and I'll be able to see
    where the real bottleneck (if one) is ;)

    Marc
     
    Marc, Mar 2, 2005
    #15
  16. Marc

    Big and Blue Guest

    Marc wrote:
    >
    > I thought of this but as a side effect, I can have certificate that are
    > not used (for example, if one machine is broken...).


    How is that a problem, apart from a small "waste" of filespace?

    > Second point, is that if I want to generate certificate _before_ nodes'
    > installations, server will also need to generate private keys.


    It will need to do this anyway. Do you mean it will have to store them?

    > I don't
    > want to have a repository with all private keys inside.


    Why not?

    > Your cache
    > system will make the private keys to be duplicated (one copy on the
    > central server, one copy (possibly) on a node).


    You can delete them once a node has "collected" its keys, if you wish.


    > I am still
    > in the 'study' part, I'm writing a test system, and I'll be able to see
    > where the real bottleneck (if one) is ;)


    Probably find it is in writing this thread!


    --
    Just because I've written it doesn't mean that
    either you or I have to believe it.
     
    Big and Blue, Mar 3, 2005
    #16
  17. Marc

    Marc Guest

    Big and Blue <> writes:

    > Marc wrote:
    > >
    >> I thought of this but as a side effect, I can have certificate that are
    >> not used (for example, if one machine is broken...).

    >
    > How is that a problem, apart from a small "waste" of filespace?


    Yes, it should not be a problem. But having keys to some restricted
    area, that are not used, should be avoided, I think.

    >> Second point, is that if I want to generate certificate _before_ nodes'
    >> installations, server will also need to generate private keys.

    >
    > It will need to do this anyway. Do you mean it will have to store them?


    No, the key generation is done on the node, not on the server. This way,
    I avoid some computing on the server, I avoid having the keys copied in
    two locations, and I avoid having to transfer a private thing across
    network (even if it is https...)

    >> I don't
    >> want to have a repository with all private keys inside.

    >
    > Why not?


    Don't feel like doing it. If there is no other way, or this one is
    really better than anything else, I will, but for the moment, I'll try
    to make the system simpler as possible

    >> Your cache
    >> system will make the private keys to be duplicated (one copy on the
    >> central server, one copy (possibly) on a node).

    >
    > You can delete them once a node has "collected" its keys, if you wish.


    True...


    > > I am still
    > > in the 'study' part, I'm writing a test system, and I'll be able to see
    > > where the real bottleneck (if one) is ;)

    >
    > Probably find it is in writing this thread!


    Ok, so this will be my last answer in this thread!

    Thanks for giving me your ideas/point of view. I don't think I will
    write a pure SSL library, but if I do, I'll let you know ;)

    Marc
     
    Marc, Mar 4, 2005
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Todd Aspeotis
    Replies:
    3
    Views:
    481
    Kanenas
    May 30, 2005
  2. Replies:
    2
    Views:
    2,173
  3. Michael Crute
    Replies:
    0
    Views:
    504
    Michael Crute
    Jun 14, 2010
  4. geremy condra
    Replies:
    0
    Views:
    413
    geremy condra
    Jun 14, 2010
  5. Redd Vinylene
    Replies:
    6
    Views:
    311
    Jakub Pawlowicz
    Nov 18, 2008
Loading...

Share This Page