[openssl-users] Transferring SSL Connections from one process to another.

Sudarshan Raghavan sudarshan.t.raghavan at gmail.com
Fri Jul 10 10:40:04 UTC 2015


I have been trying to transfer SSL connections (that are in accept state
with handshake completed and some data already sent/received prior to the
transfer) from one process to another so that it would allow me to
seamlessly receive and send over the SSL connection (from an SSL Client)
once it has been transferred to the new process.  Let me try to explain
what I did to achieve this.
1) Created a UNIX domain socket pair between the two processes.
2) Transferred the socket descriptors from one process to another (used
sendmsg and recvmsg APIs for this)
3) Retrieved the SSL_SESSION from SSL structure instance and converted this
to a sequence of bytes using the OpenSSL API "i2d_SSL_Session". Sent this
information from the first process using the sendmsg API (and received at
the other process using the recvmsg API).
4) Converted the raw bytes to SSL_SESSION using the OpenSSL API
5) On the new process instead of doing a handshake (using the OpenSSL API
SSL_do_handshake), I first set the session to the SSL_CTX structure
instance using the API SSL_CTX_add_session and then set the session on on
the SSL structure (by calling SSL_new with the context) instance using
6) Finally added read & write events for the socket descriptor and set the
read and write handlers appropriately (to read and write plain text data).
Used epoll mechanism to do so.

I was able to transfer the TCP connections across the processes (confirmed
by sending data over the passed over TCP Connection). However when i tried
sending data (using openssl s_client) over this SSL connection it gave me
the following errors followed by a close notify.
1) Got the following error when a stream cipher (RC4SHA) was used.
*SSL3 alert write:fatal:decode error*
*3074365640:error:1408F0A0:SSL routines:SSL3_GET_RECORD:length too
2) Got a "decryption failed" error when a block cipher was used. I do not
have the entire error description with me right now.

I am not sure why I received this error. Could you help me out with the
following queries?
1) Have I missed out something that I should have done to transfer SSL
connections from one process to another? Is it possible to do so in the
first place? If so, could you let me know how?
2) The API documentation for SSL_set_session says that it is only useful
for SSL/TLS clients. I am not sure what this means. Can i use it on SSL
Connections at the server side? Is it that this API can only be used to
cache sessions and resume the SSL sessions at a later point in time.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150710/911b33c0/attachment-0001.html>

More information about the openssl-users mailing list