Issues implementing an async certificate validation engine
Date: Tue, 11 Feb 2020 17:17:26 +0000
This is my first post here, I need some help with certificate validation. I used curl multi interface and CURLOPT_SSL_CTX_FUNCTION so that I can use SSL_CTX_set_cert_verify_callback() and SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ASYNC) to provide my own implementation of an async certificate validation engine. Such implementation uses IPCs to delegate certificate validation to another process. The idea is (pseudo code follows):
// this happens in process #1 in my_cert_verify_callback()
pipe_read_fd, pipe_write_fd = create_pipe_for_validation_result();
async_validation_request(pipe_write_fd, cert, cert_len); // this requests cert validation to process #2 via IPC
read(pipe_read_fd, &validation_result, sizeof(validation_result));
When async response comes in, via IPC, what I do is:
// this happens in process #1
write(pipe_write_fd, &status, sizeof(status));
I see 2 different issues with this:
1. ASYNC_pause_job() can wake up before write(). It will then block on the read(), which is too bad in my single-threaded code.
2. I fixed case 1 by making read() non-blocking, I then run ASYNC_pause_job() again and again until write() is actually performed. So now I hit another issue. Time between printf("pause") and write() is ~100/200 milliseconds. However time between write() and printf("resume") is usually ~4.5 seconds and this way too much.
My understanding is that ASYNC_start_job() has to be called again by libcurl to resume the async job. This generally happen in SSL I/O calls like SSL_Read/Write. Matt from OpenSSL mailing-list told me: "When your application knows that the callback is ready to continue it must ensure that whatever OpenSSL I/O operation was in progress prior to the pause is then invoked again.". Do you know of any libcurl function I can call to resume the SSL async job?
Many thanks, any help would be much appreciated.
Valerio Di Gregorio
Received on 2020-02-11