Re: How do I setup TLS connections in EventMachine?

[Aman Gupta]

Can you post some code?

If you start_tls, receive_data will be passed decrypted data off of the stream. For clients, you should call start_tls in connection_completed, and ensure no calls to send_data are made before the start_tls.

  Aman

On Thursday, December 13, 2012 6:33:06 PM UTC-8, Bryan wrote:

I have a custom Protobuf-based protocol that I've implemented as an EventMachine protocol and I'd like to use it over a secure connection between the server and clients. Each time I send a message from a client to the server, I prepend the message with a 4-byte integer representing the size of the Protobuf serialized string to be sent such that the server knows how many bytes to read off the wire before parsing the data back into a Protobuf message.

I'm calling start_tls in the post_init callback method in both the client and server protocol handlers, with the one in the server handler being passed the server's private key and certificate. There seems to be no errors happening at this stage, based on log messages I'm printing out.

Where I get into trouble is when I begin parsing data in the receive_data callback in the server's handler code... I read 4 bytes of data off the wire and unpack it to an integer, but the integer that gets unpacked is not the same integer I send from the client (i.e. I'm sending 17, but receiving 134222349).

Note that this does not happen when I don't use TLS... everything works fine if I remove thestart_tls calls in both the client and server code.

Is it the case that SSL/TLS data gets passed to the receive_data callback when TLS is used? If so, how do I know when data from the client begins? I can't seem to find any example code that discusses this use case...

[Bryan]

Thanks Aman. Your comment about ensuring no calls to send_data are made before start_tls made me notice the ssl_handshake_completed callback available in EM::Connection. Rather than calling send_data after my call to start_tls in the client's connection_completed callback, I moved the call to send_data to the ssl_handshake_completed callback and things worked perfectly.

The comment in the documentation for ssl_handshake_completed says it all... see quote below.

From http://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection#ssl_handshake_completed-instance_method

This callback exists because #post_init and #connection_completed are *not* reliable for indicating when an SSL/TLS connection is ready to have its certificate queried for.

-Bryan