Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: Multiplexing HTTPS server, peer cert authentication problem.

by Thelonius (Priest)
on Mar 05, 2007 at 17:51 UTC ( #603250=note: print w/ replies, xml ) Need Help??


in reply to Multiplexing HTTPS server, peer cert authentication problem.

One possibility, as Moron implies, is to write a forking server, possibly a pre-forking server. You might need to use Cygwin to get forking to work correctly on Windows.

However, your approach might work with a little more code. From the documentation for IO::Socket::SSL

Note that if start_SSL() fails in SSL negotiation, $socket will remain blessed in its original class. For non-blocking sockets you better just upgrade the socket to IO::Socket::SSL and call accept_SSL or connect_SSL on the upgraded object. To just upgrade the socket set B<SSL_startHandshake> explicitly to 0. If you call start_SSL w/o this parameter it will revert to blocking behavior for accept_SSL and connect_SSL.
My interpretation, without actually trying this is:
my $acceptsock = $sock->accept; my $sslaccept = IO::Socket::SSL->start_SSL($acceptsock, {SSL_startHandshake => 0, SSL_use_cert => 1, SSL_verify_depth => 1, SSL_verify_mode => 0x03, }); $select->add($sslaccept); @{*$sslaccept}{qw/sbuf size state/} = ('', 0, 'handshake'); # then go back to your select() # Later, when the select() returns the $sslaccept socket, call if (*$sock->{state} eq 'handshake') { my $sslclient = $sock->accept_SSL(); if (defined($sslclient)) { # success! # advance the state of socket to connected, etc. *$sock->{state} = 'need_headers'; } elsif ($SSL_ERROR == SSL_WANT_READ || $SSL_ERROR == SSL_WANT_READ) { # just do another select, then repeat call to accept_SSL # no code needed here, I think } else { # Otherwise, the connection has failed. $select->remove($sock); $sock->close(); # maybe log it } }
You will probably need to use the three argument select instead of can_read():
my ($readsocks, $writesocks, $errsocks) = IO::Select::select($select, $select, $select);


Comment on Re: Multiplexing HTTPS server, peer cert authentication problem.
Select or Download Code
Replies are listed 'Best First'.
Re^2: Multiplexing HTTPS server, peer cert authentication problem.
by erroneousBollock (Curate) on Mar 06, 2007 at 01:09 UTC
    I'm not sure I understand.

    I do understand that you're saying I should split the (SSL) accept() into a non-SSL accept() and a start_SSL().
    What I don't understand is what problem that solves :)

    From what I have read, SSL_startHandshake makes sure that start_SSL is non-blocking (doesn't re-bless socket until it succeeds or fails).
    So, is your suggestion that the peer certificate authentication goes awry somehow, because I'm still blocking?

    -David.
      Well, I am suggesting it because the documentation recommends it.

      I tried it out and it seems to work, with one change, that it needs SSL_server => 1 here:

      my $sslaccept = IO::Socket::SSL->start_SSL($acceptsock, {SSL_startHandshake => 0, SSL_server => 1, SSL_use_cert => 1, SSL_verify_depth => 1, SSL_verify_mode => 0x03, });
      Otherwise it will try to authenticate as a client.

      Here's a restructured program:

        Hi Thelonius,

        Excellent! It works. Thank-you very much.

        I'll reply at the top-level with a summary so that others may benefit from your research.
        -David.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603250]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (16)
As of 2015-07-30 21:00 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (273 votes), past polls