RE: Issues implementing an async certificate validation engine
Date: Wed, 12 Feb 2020 22:33:40 +0000
Thanks for your reply. I'm doing the cert verfication in the callback and the operation is async. The way the async verification is achieved is by using ASYNC_pause_job (which internally does a longjmp). Callback won't return, because the async job gets paused. Once async validation is done, SSL async job can resume. It's the resumed callback that will finally return with a validation result.
How to resume the async job is a mystery. Folks from OSSL forum said: "When your application knows that the callback is ready to continue it must ensure that whatever OpenSSL I/O operation was in progress prior to the pause is then invoked again". I have no clue what SSL I/O operation was in progress prior to pause, but I guess libcurl knows.
I tried to look into the stack trace:
#0 0x00007fffef70c480 in ASYNC_pause_job ()
#1 0x00007ffff01ed2cb in my_ssl_cert_verify_cb ()
#2 0x00007fffefbb7c3a in ssl_verify_cert_chain ()
#3 0x00007fffefbe47c9 in tls_process_server_certificate ()
#4 0x00007fffefbe7115 in ossl_statem_client_process_message ()
#5 0x00007fffefbe0d58 in state_machine ()
#6 0x00007fffef70c434 in async_start_func ()
But it doesn't help much.
From: Daniel Stenberg <daniel_at_haxx.se>
Sent: Wednesday, February 12, 2020 11:16 PM
To: Valerio Di Gregorio (vadigreg) via curl-library <curl-library_at_cool.haxx.se>
Cc: Valerio Di Gregorio (vadigreg) <vadigreg_at_cisco.com>
Subject: Re: Issues implementing an async certificate validation engine
On Tue, 11 Feb 2020, Valerio Di Gregorio (vadigreg) via curl-library wrote:
> My understanding is that ASYNC_start_job() has to be called again by
> libcurl to resume the async job.
I don't understand this remark. Aren't you doing the cert verfication in the callback? Are you going to return from the callback without being done and then somehow keep verifying "in the background" ?
> This generally happen in SSL I/O calls like SSL_Read/Write. Matt from
> OpenSSL mailing-list told me: "When your application knows that the
> callback is ready to continue it must ensure that whatever OpenSSL I/O
> operation was in progress prior to the pause is then invoked again.".
> Do you know of any libcurl function I can call to resume the SSL async job?
Sorry, but I don't. I don't understand how these OpenSSL APIs work and I don't understand how you envision this should work together with libcurl even if everything worked the way you wanted them to!
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2020-02-12