[openssl-users] renegotiate across exec()

Jakob Bohm jb-openssl at wisemo.com
Fri Mar 2 07:44:50 UTC 2018

On 02/03/2018 06:44, Viktor Dukhovni wrote:
>> On Mar 1, 2018, at 10:39 PM, Felipe Gasper <felipe at felipegasper.com> wrote:
>> Hi all,
>> 	I’ve got a project where I’m trying to send a Hello Request from the server immediately before an exec(), then renegotiate the SSL connection.
>> 	What is the easiest way to send *just* a Hello Request from a server?
> You actually have a more severe problem.  The session is already established
> and so the renegotiation must happen over an already encrypted channel.  But
> there's no API to export the cryptographic state for use in the new executable.
> I believe you're out of luck.  I believe that OpenSSL does not support migration
> of live connections between address spaces.
One workaround could be to do a fork()/exec(), then have the exec-ed
address space talk to the un-forked() parent address space in order to
get the renegotiation encrypted with the previously negotiated keys.

Another option could be to do a fork()/exec() with the parent process
maintaining full control of the SSL/TLS encryption, passing the
plaintext data to/from the child via pipes.  Perhaps the parent process
(or other piped process) could be a special process dedicated to doing
encryption/decryption, thus completely shielding the keys (long term and
short term) from any vulnerabilities in the data handling process.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list