[openssl-users] renegotiate across exec()
Jakob Bohm
jb-openssl at wisemo.com
Fri Mar 2 07:44:50 UTC 2018
On 02/03/2018 06:44, Viktor Dukhovni wrote:
>
>> On Mar 1, 2018, at 10:39 PM, Felipe Gasper <felipe at felipegasper.com> wrote:
>>
>> Hi all,
>>
>> I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.
>>
>> What is the easiest way to send *just* a Hello Request from a server?
> You actually have a more severe problem. The session is already established
> and so the renegotiation must happen over an already encrypted channel. But
> there's no API to export the cryptographic state for use in the new executable.
>
> I believe you're out of luck. I believe that OpenSSL does not support migration
> of live connections between address spaces.
>
One workaround could be to do a fork()/exec(), then have the exec-ed
address space talk to the un-forked() parent address space in order to
get the renegotiation encrypted with the previously negotiated keys.
Another option could be to do a fork()/exec() with the parent process
maintaining full control of the SSL/TLS encryption, passing the
plaintext data to/from the child via pipes. Perhaps the parent process
(or other piped process) could be a special process dedicated to doing
encryption/decryption, thus completely shielding the keys (long term and
short term) from any vulnerabilities in the data handling process.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list