"Michal Trojnara" <[EMAIL PROTECTED]>:
> Stunnel 3.2 has been released.
> News:
[...]
> Added full duplex with non-blocking sockets.
I think your program will likely get stuck when the peer starts a
renegotiation, as you don't obey SSL_ERROR_WANT_WRITE and
SSL_ERROR_WANT_READ. But when trying to do things right, you'll
probably discover that the OpenSSL API is not well-suited to doing
full-duplex I/O: When you do one of SSL_read and SSL_write first and
then the other one, you don't know whether a previous
SSL_ERROR_WANT_... is still valid.
My solution to this problem (which I arrived at after having wasted
some time trying to devise a state machine using just the SSL_...
API) is to check BIO_number_read and BIO_number_written to see if
there was any progress in an iteration of the main loop. Only if
nothing at all has happened, I do a select of the requested type(s).
> RST sent instead of FIN on peer error (on error peer
> socket is reset - not just closed).
As I painfully discovered with my own TLS tunneling program, this
won't work on Linux. See net/ipv4/af_inet.c in the kernel source
(I've looked at versions 2.0.36 and 2.2.6). The new thing for 2.2.6
is a comment
/* XXX This makes no sense whatsoever... -DaveM */
for the case where lingertime is 0. -- It works fine on Solaris.
> RSA temporary key length changed back to 512 bits to fix
> problem with Netscape.
1024 bit temporary keys are defined only in certain new, experimental
ciphersuites that Netscape doesn't have yet. The standard export
ciphersuites have temporary keys limited to 512 bits. In fact, it's
earlier versions of Netscape that had a problem w.r.t. temporary keys
in that they accepted keys that were too long, legally -- see "SSLv3"
in the "bugs" directory in SSLeay 0.9.0b. I think this even was a
news item some time ago when it was publicly (re-)discovered.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
