shutdown problem between cyassl - openssl

Developers
Visibilis
2010-10-01
2013-04-23
  • Visibilis
    Visibilis
    2010-10-01

    Hi!

    I would like to ask for help with the following problem:

    I need to reuse the transport layer (TCP socket, currently) doing several (SSL_new, SSL_connect/accept, _sending data to and from, SSL_shutdown, SSL_free_) sessions one after the other.
    If both client and server are cyassl only (or openssl only), it works flawlessly.
    But if the client is cyassl and the server is openssl (or vice versa), there are problems after the first session.

    Thank you in advance,

    Visibilis

     
  • Todd Ouska
    Todd Ouska
    2010-10-01

    CyaSSL doesn't support reuse of the underlying connection in the exact same way that OpenSSL does through the use of SSL_shutdown() in two phases.  That is something we can change.

    But I'm curious.  If you know you're going to be reusing the underlying connection why not just leave it open in the first place?

     
  • Visibilis
    Visibilis
    2010-10-05

    I need this, for example, because I would like to use an external session cache. The cache should be able to work with OpenSSL, as well. I would like to use the cache along the lines of i2d_SSL_SESSION and d2i_SSL_SESSION.
    One use case would be to start an ssl session, shut it down, and open a new ssl session using the serialized session from the external cache. All using one underlining connection.

     
  • Todd Ouska
    Todd Ouska
    2010-10-05

    That's not going to be possible I think.  A session cache is implementation specific, there's no standard for what and how to store it.  That is, you can't use the same session cache with OpenSSL, gnuTLS, yaSSL etc…  Further, CyaSSL doesn't support an external session cache since it's intended for embedded use.  That's not say it won't in the future but we haven't had any requests for it yet.

     
  • Visibilis
    Visibilis
    2010-10-08

    Thank you for your kind reply.

    Could you give me a hint what I should do to be able to reuse the underlying connection with cyassl?
    Will you implement it, if I ask you nicely? :)

     
  • Todd Ouska
    Todd Ouska
    2010-10-11

    Use CyaSSL on both ends is one solution.  Don't call SSL_shutdown on either end may be another.

    At some point we'll update CyaSSL to handle this situation but we're very busy with customers and potential customers at the moment so I can't give an estimate of when that will be.

     
  • Visibilis
    Visibilis
    2010-10-13

    Both of these are sensible solutions, but neither of them work for me, unfortunately.
    I am glad to hear that you plan to update CyaSSL.
    If you don't mind, I will write a feature request, so that it won't get forgotten.

     
  • Todd Ouska
    Todd Ouska
    2010-10-13

    Fair enough.  Please do enter a request.

     
  • Todd Ouska
    Todd Ouska
    2010-10-18

    Hey, since you have a few feature requests and ideas about yaSSL do you want to talk them through?  We can determine how quickly we complete them and set priorities for each. 

    You can send me email at todd@yassl.com or we'll be available this week on skype, handle stefonic.