1

Suppose I have a client-server architecture. The client communicates with the server through a secured SSL TCP connection. Both client and server use SSL_write and SSL_read for communication.

Then, the server uses fork and runs on the child branch close(STDOUT_FILENO) dup(ssl_socket_from_client) execvp(...)

Basically, the output of the program will go into the socket, but will it be encrypted and how do I ensure that anything that goes into this socket uses the same procedure of writing as with SSL_write?

Thanks in advance

Improve this question

1 Answer 1

Reset to default
2

The current state of the SSL socket is in most cases (like with OpenSSL) kept in user space. When forking this state is duplicated into the child. But after the exec this duplicated state is thrown away. This means the executed process has only access to the plain kernel-level file descriptor but not to the SSL state which is needed to transmit encrypted traffic over this file descriptor.

Therefore a simple fork and exec will not work with SSL sockets. Instead the parent process of the executed process needs to handle all the SSL by itself, i.e. read and decrypt data from the SSL socket and provide the executed process with the plain data and read plain data from the executed process and encrypt and forward these data through the SSL socket. Communication with the executed process can for example be done with two pipes or a single socketpair. Or as some rough visualisation:

TLS server <--SSL socket--> Parent <--plain socketpair/pipes--> Child

For related problems see Share SSL socket with child process or Python3 CGI HTTPS server fails on Unix.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Okay, so there should be created another socket between the parent and the child. The child will dump it's output into the newly created socket and then the parent will use SSL_write to respond. That makes more sense now, thank you
Another question: How do I implement stdin redirection? What if the server runs a command that expects input from the client? With a new level of sockets, I have no idea when to read and when to write to pipes. Are blocking SSL_read and SSL_write even viable in this case?
@DenisRozimovschii: this is a somehow related but still new question and should thus not be asked in a comment. I recommend to have a look at pipe or socketpair to create the necessary file descriptors, use dup or dup2 to map stdin/stdout to these fd in the child and use select, poll, kqueue or whatever you OS offers to find out when data can be read from one fd (ssl or plain) and be forwarded to the other fd (plain or ssl). You could probably also use threads if you are less comfortable with event-driven programming.
I've implemented the socketpair related stuff, but I didn't know about poll and events on descriptors. Now, when I do, I will progress. Thank you. Also, I felt like there is too much context inside this question and comments, so starting a new one would be a waste
I created a separate question following your advice stackoverflow.com/questions/48084446/…
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.