OpenSSL:接受TLS连接,然后转移到另一个进程 [英] OpenSSL: accept TLS connection and then transfer to another process
问题描述
我们有一个运行两个进程A和B的(Linux)服务器。目前,客户端建立到进程A的连接,然后将所得到的套接字的文件描述符传递给进程B,允许进程B使用现有的fd / socket以与客户端无缝通信。然后客户端和进程B执行TLS握手,并继续在生成的TLS连接上进行通话。
We have a (Linux) server running two processes, A and B. Currently, clients establish a connection to process A, which then passes the resulting socket's file descriptor to process B, allowing process B to use the existing fd/socket to communicate seamlessly with the client. The client and process B then perform a TLS handshake and continue talking on the resulting TLS connection.
(我在这里省略了很多细节, 是一个很好的原因,让进程A作为中介而不是直接连接到进程B)
(I'm leaving out a lot of details here, but yes, there is a good reasons for having process A act as an intermediary instead of just connecting to process B directly)
现在, < long涉及新客户端应用程序和websockets的复杂故事> 看起来我们可能必须在进程A中执行TLS握手,然后将已建立的TLS连接到进程B.
Now, because of <long complicated story involving new client applications and websockets> it looks like we may have to perform the TLS handshake in process A, and then transfer the established TLS connection to process B.
这是可能吗?可以复制底层套接字的文件描述符(我们已经做了),至少在理论上,内部TLS状态数据也可以被复制并用于重建进程B中的TLS连接,从而有效地接管连接。
Is that possible? The underlying socket's file descriptor can be copied (we do that already), and at least in theory, the internal TLS state data could also be copied and used to reconstruct the TLS connection in process B, effectively taking over the connection.
但是OpenSSL是否会暴露任何这样的设施?
我找到了一个函数 d2i_SSL_SESSION ,它似乎做了类似的一个OpenSSL会话对象,但是对于OpenSSL是新的,我不知道这是否足够。有会话,上下文,BIO的和一堆其他复杂的声音涉及。需要多少才能被序列化并转移到进程B才能工作?
But does OpenSSL expose any facility like that?
I found the function d2i_SSL_SESSION which seems to do something similar for an OpenSSL session object, but being quite new to OpenSSL, I'm not sure if that is sufficient. There are sessions, context, BIO's and a bunch of other complicated-sounding terms involved. How much would have to be serialized and transferred to process B for this to work? And how would it be done in practice?
切换需要对客户端100%透明:它必须只对指定的IP /端口执行SSL握手,然后继续在生成的套接字上进行通信,而不知道一个进程接受连接并执行TLS握手,然后另一个进程处理所有后续通信。
The switchover is required to be 100% transparent to the client: it must simply perform an SSL handshake against a given IP/port, and then continue talking on the resulting socket, with no knowledge of the fact that one process accepts the connection and performs the TLS handshake, and another then handles all subsequent communication.
推荐答案
我没有尝试这种做法,但就我记得在套接字级别上创建连接后,它由openssl初始化,然后使用SSL_read和SSL_write读/写。它们接受套接字fd作为参数。连接本身(从SSL端)用SSL_CTX SSL结构表示。
I haven't tried this on practice, but as far as I remember after the connection is created on socket level it is initialized by openssl and then you read/write with SSL_read and SSL_write. They accept socket fd as parameter. The connection itself (from SSL side) is represented with SSL_CTX SSL structs.
所以在理论上听起来可能,但正如我说的,我从来没有在现实世界中尝试过。
So in theory that sounds possible, but as I said I have never tried it in the real world.
这篇关于OpenSSL:接受TLS连接,然后转移到另一个进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
