将连接的SSL套接字传递给另一个进程 [英] Pass connected SSL Socket to another Process
问题描述
我正在努力寻找一种将请求发送到目标服务器的机制,当套接字具有要读取的数据时,请将套接字传递给另一个进程以取出数据.
到目前为止,我在Linux上使用epoll来实现它,以至于我进行握手,发送请求,请求到达,然后将套接字fd传递到另一个进程进行进一步处理,我明确使用以下命令保存SSL会话PEM_write_bio_SSL_SESSION,然后使用PEM_read_bio_SSL_SESSION读取它并将其添加到上下文中,但由于出现内部错误或握手失败,因此我无法在另一个进程中读取ssl套接字.
I am struggling to find a mechanism to send a request to the target server and when the socket has data to be read, pass the socket to another process for getting the data out.
I came so far using epoll on Linux, to implement it to the point that i do the handshake, i send the request and the request arrives, then i pass the socket fd to another process for futher handling, i explicitly save the SSL Session using PEM_write_bio_SSL_SESSION and then read it using PEM_read_bio_SSL_SESSION and add it to the context but i can not read the ssl socket in another process because i get either Internal error or Handshake failure.
我已经阅读了文章,但仍然找不到任何文章解决问题的机制.我知道这是因为openssl是应用程序级的库,但是必须有一种方法,因为Apache已经在执行此操作.
I've read this article but still couldn't find any mechanism to work it out. I know this is because openssl is application-level library but there has to be way because Apache already is doing this .
至少,如果不可能,是否有一种方法可以使用openssl会话中的主密钥从套接字解密数据(我可以正常读取)?
At least, if its not possible, is there a way to decrypt the data from socket (which i can read normally) using Master Key from openssl's session ?
推荐答案
执行此操作的唯一方法是克隆SSL套接字的整个用户空间部分,该部分分布在多个内部数据结构上.由于您无权访问python中的所有结构,因此只能通过克隆进程来完成此操作,即使用fork.
The only way you can do this is by cloning the full user space part of the SSL socket, which is spread over multiple internal data structures. Since you don't have access to all the structures from python you can only do this by cloning the process, i.e. use fork.
请注意,一旦您分叉了该过程,则应仅继续在其中一个过程中使用SSL套接字,即无法进行分叉,在子进程中进行某些工作然后在父进程中进行某些工作.这是不可能的,因为一旦处理套接字,SSL状态就会更改,而只能在其中一个进程中更改.在另一个过程中,状态将不同步,以后任何尝试使用此错误状态的尝试都会引起奇怪的错误.
Note that once you have forked the process you should only continue to work with the SSL socket in one of the processes, i.e. it is not possible to fork, do some work in the child and then do some work in the parent process. This is not possible because once you are dealing with the socket the SSL state gets changed, but only in one of the processes. In the other process the state gets out of sync and any attempts to use this wrong state later will cause strange errors.
这篇关于将连接的SSL套接字传递给另一个进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
