将连接的 SSL 套接字传递给另一个进程 [英] Pass connected SSL Socket to another Process
问题描述
我正在努力寻找一种机制来向目标服务器发送请求,当套接字有数据要读取时,将套接字传递给另一个进程以获取数据.到目前为止,我在 Linux 上使用 epoll 来实现它,直到我进行握手,我发送请求并且请求到达,然后我将套接字 fd 传递给另一个进程以进行进一步处理,我显式地保存了 SSL 会话使用PEM_write_bio_SSL_SESSION 然后使用 PEM_read_bio_SSL_SESSION 读取它并将其添加到上下文中,但我无法在另一个进程中读取 ssl 套接字,因为我收到内部错误或握手失败.
I am struggling to find a mechanism to send a request to the target server and when the socket has data to be read, pass the socket to another process for getting the data out.
I came so far using epoll on Linux, to implement it to the point that i do the handshake, i send the request and the request arrives, then i pass the socket fd to another process for futher handling, i explicitly save the SSL Session using PEM_write_bio_SSL_SESSION and then read it using PEM_read_bio_SSL_SESSION and add it to the context but i can not read the ssl socket in another process because i get either Internal error or Handshake failure.
我已经阅读了这篇文章,但仍然找不到任何内容机制来解决.我知道这是因为 openssl 是应用程序级库,但必须有办法,因为 Apache 已经这样做了.
I've read this article but still couldn't find any mechanism to work it out. I know this is because openssl is application-level library but there has to be way because Apache already is doing this .
至少,如果不可能,有没有办法使用来自 openssl 会话的主密钥从套接字(我可以正常读取)解密数据?
At least, if its not possible, is there a way to decrypt the data from socket (which i can read normally) using Master Key from openssl's session ?
推荐答案
您可以这样做的唯一方法是克隆 SSL 套接字的完整用户空间部分,该部分分布在多个内部数据结构上.由于您无法访问来自 python 的所有结构,您只能通过克隆进程来执行此操作,即使用 fork.
The only way you can do this is by cloning the full user space part of the SSL socket, which is spread over multiple internal data structures. Since you don't have access to all the structures from python you can only do this by cloning the process, i.e. use fork.
请注意,一旦您分叉了进程,您应该只在其中一个进程中继续使用 SSL 套接字,即不可能分叉,在子进程中做一些工作,然后在父进程中做一些工作.这是不可能的,因为一旦您处理套接字,SSL 状态就会更改,但仅在其中一个进程中发生更改.在另一个进程中,状态变得不同步,以后任何尝试使用这个错误状态都会导致奇怪的错误.
Note that once you have forked the process you should only continue to work with the SSL socket in one of the processes, i.e. it is not possible to fork, do some work in the child and then do some work in the parent process. This is not possible because once you are dealing with the socket the SSL state gets changed, but only in one of the processes. In the other process the state gets out of sync and any attempts to use this wrong state later will cause strange errors.
这篇关于将连接的 SSL 套接字传递给另一个进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
