OpenSSL and PP::TCPSocket

[Richard Moscone]

Hi,

I've currently got a Chromebook packaged app that uses the Asynchronous PP::TCPSockets for communication with a server and it's working great.

I've now been tasked with using SSL/TLS to protect the socket and I've hit a wall.  I've got a NaCl port build of openSSL and I've been trying to get that to work with the PP:TCPSocket object but I can't find a way to connect the socket to OpenSSL.

It seems I need the socket ID which I can't get ( or don't yet know how to get ).

I've seen NaCl IO using BSD sockets and I realise I can go that way but that would require a large redesign of our comms layer that I don't want to face right now :)

Any help would be appreciated,

[Ben Smith]

Hi Richard,

I've never done this, but a quick search shows that it should be possible. Here's someone making a connection over UDP: http://stackoverflow.com/questions/22753221/openssl-read-write-handshake-data-with-memory-bio

Here's a thread discussing avoiding sockets: http://openssl.6102.n7.nabble.com/Alternative-Interface-that-doesn-t-use-Sockets-td31483.html

It seems the API you need is BIO, which provides an abstraction over the input/output.

HTH,

-Ben

[Richard Moscone]

Thanks for the info, Ben.

I was looking into BIO's yesterday evening and this seems to confirm that line of thought.

I'll try them today and see how it goes.

Rich

[Richard Moscone]

Just in case anyone else was looking to do this, I can confirm that using openSSLs with memory BIOs are the way to go.  I've currently got a client communicating with a .net based SSL server and it's working brilliantly.

This is one of the most helpful links I found that explains how to set up an openSSL / memory BIO test example : http://www.roxlu.com/2014/042/using-openssl-with-memory-bios

Rich

[Fabio Nokai]

Hi Richard,

I'm trying to use openssl with TCPSocket, but it's not working.

My code looks like:

int sockfd = ppb_tcpsocket->Create(module_instance);

ppb_tcpsocket->Connect(....);

....

SSL_library_init();

SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());

....

SSL* sslHandle = SSL_new(ctx);

BIO* bio = BIO_new_socket(socked, BIO_NOCLOSE);

SSL_set_bio(sslHandle, sbio, sbio);

SSL_set_fd(sslHandle, sockfd);

....

int ret = SSL_connect(sslHandle);

....

int error_code = SSL_get_error(sslHandle, ret);

error code is SSL_ERROR_SYSCALL.

Can you give me a hand?

[Richard Moscone]

Hi Fabio,

I'm using ssl without having it connected to my TCP socket, I'm not sure it's possible to connect it up so you can just call SSL_read, SSL_write and have it work on the socket for you.

My method is to pass any data I want to send through SSL, reading the encrypted data out and then writing that to the socket.  Any data I read from the socket gets fed into SSL and then the unencrypted data is read out the other side and passed into my application.

Here's a rough overview of how I did it.

I call ssl init and create a context.

After that I create an X509 cert using a memory BIO and load that into SSL using SSL_CTX_use_certificate

Then I call SSL_new( sslContext )

At this point i create two memory bios, using BIO_new( BIO_s_mem() ), one for reading and one for writing.

I then call SSL_set_bio( sslHandle, readBio, writeBio )   ( I'm relatively new to openSSL so not sure if you can use the same BIO for reading and writing.)

After setting the BIOs I call SSL_set_connect_state( sslHandle ).  From here the write BIO should now contain the first part of the SSL handshake.

Connect your TCP socket to your server.

Once connected the next step is to deal with the handshake.  Calling BIO_read on the write BIO should get you the handshake data to send.  Write that data to your TCP socket,

You should then get the response part of the handshake back which you need to push back into SSL which you do by calling BIO_write on your read BIO.

You can check SSL_do_handshake to see if you need to check if the handshake is finished (usually two rounds of send and receive ).

Once the handshake is complete it's a matter of anything you want to write to your TCP socket, you push it through SSL via the BIO first using SSL_Write and then calling BIO_read on your write BIO to get the encrypted data out.

When you get data read from your TCP socket feed that straight into SSL via BIO_write to load the data into your read BIO and then calling SSL_read to get the data out.

Reading back over this, it seems a little confusing but I hope it gives you an idea of how I've done it.  It's by no means the right way/best way but it really performs well.

Hope this helps, Good luck!

Rich