[jira] [Commented] (TS-3372) Need to find another solution to SSL_set_rbio

Mon, 09 Feb 2015 10:52:43 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-3372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14312619#comment-14312619
 ] 

Susan Hinrichs commented on TS-3372:
------------------------------------

The openssl team added a SSL_set_rbio to their master (will be 1.1).  Need to 
updated ifdefs to pick up that version instead of our internal version if we 
are compiling against openssl 1.1 or better.

> Need to find another solution to SSL_set_rbio
> ---------------------------------------------
>
>                 Key: TS-3372
>                 URL: https://issues.apache.org/jira/browse/TS-3372
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>             Fix For: 5.3.0
>
>
> We currently use readonly membuf BIOs to feed the handshake buffers into the 
> SSL_accept.  We added this to enable a SSL connection to transition into a 
> blind tunneled connection.  We would have the first packet in a io buffer 
> ready to send onto the origin server if the plugin decided to blind tunnel.
> To make this work, we would have to reset the read bio on each packet, since 
> we are passing in read-only pointers to our io buffer structures.
> Openssl provides a SSL_set_bio() call that lets you reset the read and write 
> bios for the SSL.  And you could use SSL_get_wbio() to feed back in the same 
> write bio.  But in the code, if buffered output is enabled (which it is in 
> our case), the write bio state is changed even if the write bio we pass in is 
> identical to the write bio that is already present.
> To make things work, I added a SSL_set_rbio that only frees and sets the 
> rbio.  This works fine for us.  But with the next major version (1.1) we will 
> not be able to read into the ssl data structure and adjust the rbio field 
> directly.
> Either we need to find the official approved solution to this problem or get 
> them to add one.  
> We have also discussed bypassing the openssl buffering and use ATS buffing 
> based on io buffers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to