Re: preliminary SSL client

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I did a "cvs update" from SourceForge and I didn't get any changes,
and I looked through the logs and I didn't see anything.

Anyway, a few things I learned while playing with OpenSSL:

You have to be VERY careful using openssl to get everything right.
Even the slightest deviation can cause wierd problems that are
difficult to explain and debug.  So when copying my stuff, any
deviation is suspect, OpenSSL expects you to do everything in just the
order it wants.

I assume to created valid certificates and installed them in the right
place.  Figuring out how to do this took as much time as it took me to
write the code.  The instructions for creating the certificates are in
the documentation changes I made.  I assume you did this and copied my
code about loading the certificates, since I doubt you would have
gotten this far, but just in case.

Also, make sure you don't use the socket for anything else after you
connect it to the SSL stuff.

When the changes get into the repository, I'll look at them.

-Corey

Alexey Mahotkin <al...@hs...> writes:

> Hello,
> 
> I've committed preliminary SSL client implementation.  On server side
> you have to use stunnel.  I think that this is rather useful setup
> even without client certificates (which will be implemented later).
> 
> Corey, I was looking at your sources when creating it.  It currently
> writes ok (I've checked with recordio), and the stunnelled cvs-pserver
> writes back "I LOVE YOU" ok, but the client dies with:
> 
> Logging in to :pserver:alexm@localhost:22401/repos
> CVS password: 
> Entered internal_start_server
> Created socket_client: 0x80d4100
> Created ssl_client: 0x80d4138
> Entered ssl_connect()
> ssl_write(27)
> ssl_write(6)
> ssl_write(1)
> ssl_write(5)
> ssl_write(1)
> ssl_write(4)
> ssl_write(1)
> ssl_write(25)
> ssl_read(1)
> Could not read SSL data: bad asn1 object header
> 
> The ssl_write()s are the "BEGIN AUTH REQUEST user password repository
> END AUTH REQUEST".
> 
> Corey, if you could look at it and say if I've missed something
> crucial, it would be great.  I'll also look at fetchmail
> implementation, but maybe I'm just overlooking something tiny. 
> 
> --alexm
> 
> _______________________________________________
> Cvs-nserver-devel mailing list
> Cvs...@li...
> http://lists.sourceforge.net/lists/listinfo/cvs-nserver-devel