[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access

Corey Minyard minyard at acm.org
Fri Jan 11 22:22:15 UTC 2019


On 1/11/19 12:42 PM, Sam Roberts wrote:
> On Wed, Jan 9, 2019 at 6:54 PM Corey Minyard <minyard at acm.org> wrote:
>> My first inclination for a secure connection was to use ssh. However,
>> ssh is not as well suited for this as I would have liked, and all the
>> ssh libraries are tied to a file descriptor in ways that are not easily
>> fixable, and thus can't be used on top of an abstract connection, which
>> is what I need.  That was rather disappointing, as it would have been
>> really nice to for users to just be able to ssh to ser2net.
> Not to second guess your finding that ssh isn't working well for you,
> you know your own code best, but for my own interest, I'm curious what
> about the fd is a problem? Perhaps the mismatch between X.509+TLS and
> the auth model you want are enough to reconsider your abstractions?
> Generating certs is pretty annoying and fragile, and using ssh clients
> is pretty easy!

Generating certs is easy if you do it like ssh does, and openssl is 
quite capable of that.

The auth model is not the issue, though.  The problems I'm having are 
plugging
in to openssl in the right places to do what I want.  But the help I've 
received
here has got me through that, I think.


>
> It sounds like your are building the abstractions (in C?) inside the
> sernet process, but maybe your abstraction can be an fd, and the
> "layers" can be child processes that connect fd-to-fd, sortof
> qmail-like? Or, ssh should be able to execute an arbitrary command on
> the server, and that command should be able to do anything it wants
> with the ssh-facing socket descriptors, perhaps sending data to/from
> your server which can then move the data through the in-process
> abstractions?

The model I have is something like openssl and the BIOs.  You can plug 
different
things together in openssl any way you like.  In each piece, you shove 
data in
one side and data comes out the other.  You have BIOs at the end for dealing
with sockets or whatnot.  So getting openssl running inside my framework
was quite easy.

Both openssh and libssh are not designed that way.  There is no clean 
separation
between dealing with file descriptors (that's what I meant by fd) and 
the rest
of the library.  And there were a number of other issues, too.

Thanks,

-corey



More information about the openssl-users mailing list