Can something like this work as an alternative: Imagine this conversation between consenting peers
A---> (can you shut up "B", while I grab all your data?) B A<----(OK) B A grabs all data and then does a shutdown after caching the session to somewhere safe The new process can resume the session assuming the cache is shared (and you pass the connected socket). Yes, you have a bunch of arbitrary data you need to pass via an IPC mechanism, which may or may not be a problem in your case. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Monday, March 17, 2008 4:32 PM To: openssl-users@openssl.org Subject: RE: How to transfer a socket with SSL already initialized > The vague idea I've gotten so far is that I need to somehow > transfer the SSL_SESSION to the new process. Examining the > output of SSL_SESSION_print_fp() I see that the session ID > and master key change every time SSL is initialized, so > simply reinitializing the SSL library in the new process > won't do. > What do I have to do to let the child process use the host > application's secure socket? Is there some way I can dump > the session to a file -- or perhaps even fwrite SSL_SESSION > itself -- and and load it up in the new process, or do I > need to do something else? The short answer is no, there is no good/easy way to do this. You have three choices: 1) Extend OpenSSL to provide this support. This is a complex and tricky thing to do for a variety of reasons. 2) Use another SSL library that offers this feature instead of OpenSSL. 3) Use a proxy, with whatever listens to the SSL socket proxying data to and from a pipe or socket that you can hand off. I think it would be a good thing to extend OpenSSL so that it can output everything that's necessary to support a given SSL session as a DER object and to allow an SSL session to be initialized from a socket and a DER object, but that's not currently possible. As I understand it, there are quite a few thorny obstacles involved. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
