I found an answer on the StackOverFlow. http://stackoverflow.com/questions/2512026/x-509-certificate-based-authentication-with-openssl-without-using-sockets
It may work and I am trying on it. On Wed, May 18, 2011 at 3:35 PM, Neo Liu <diablo...@gmail.com> wrote: > Thanks for your advice. > I have another question. If I don't use socket, how could I make TLS > handshake happen? > For example: > > incoming data ----> TLS engine ----> outgoing data > > My application get the incoming data from the client, and I feed it to the > TLS engine, and then TLS engine give me the outgoing data which the > application will send to the client. > It seems like that my application is an agent of the client for both TLS > handshake and TLS data transmission. > > How could I do it? > > > On Wed, May 18, 2011 at 11:53 AM, Rene Hollan > <rene.hol...@watchguard.com>wrote: > >> You CAN use openssl as an engine, with bio pairs. >> >> >> Look here: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html >> : >> >> Using BIOs for SSL Data Transmission (Optional) >> >> Instead of using SSL_write() and SSL_read(), you can transmit data by >> calling BIO_puts() and BIO_gets(), and BIO_write() and BIO_read(), >> provided that a buffer BIO is created and set up as follows: >> >> BIO *buf_io, *ssl_bio; >> char rbuf[READBUF_SIZE]; >> char wbuf[WRITEBUF_SIZE] >> >> buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */ >> ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */ >> >> BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */ >> BIO_push(buf_io, ssl_bio); /* add ssl_bio to buf_io */ >> >> ret = BIO_puts(buf_io, wbuf); >> /* Write contents of wbuf[] into buf_io */ >> >> ret = BIO_write(buf_io, wbuf, wlen); >> /* Write wlen-byte contents of wbuf[] into buf_io */ >> >> ret = BIO_gets(buf_io, rbuf, READBUF_SIZE); >> /* Read data from buf_io and store in rbuf[] */ >> ret = BIO_read(buf_io, rbuf, rlen); >> >> /* Read rlen-byte data from buf_io and store rbuf[] */ >> >> And also here: http://www.openssl.org/docs/crypto/BIO_new_bio_pair.html: >> >> The BIO pair can be used to have full control over the network access of >> an application. The application can call select() on the socket as >> required without having to go through the SSL-interface. >> >> >> The idea is that you have SSL use a bio that is one half of a bio pair: >> SSL will read and write from one bio of the pair, and this will >> "automagically" appear in the other bio of the bio pair (what's written on >> one side is read from the other, and vice-versa). >> >> >> You can also wrap the SSL-application side in a bio as first mentioned. >> >> >> It's a little tricky if you want to do this asynchronously: writing to >> the BIO fronting the SSL engine can result in output on the BIO of the BIO >> pair backing the SSL engine and/or output on the other side of the BIO >> fronting the SSL engine, and vice versa. This is because the SSL handshake >> takes place independently of the transfer of the data. Of course, it does no >> good to block on a BIO read that is stuck waiting a write on the same BIO >> (or the one on the "other side" of the SSL engine). >> >> >> I'm sure others might be able to explain it better, but it's a technique >> I've used in cases where I can't have SSL "front" a traditional socket. >> >> >> >> >> >> ------------------------------ >> *From:* owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] >> on behalf of Neo Liu [diablo...@gmail.com] >> *Sent:* Tuesday, May 17, 2011 7:33 PM >> >> *To:* openssl-users@openssl.org >> *Subject:* Re: Can openssl support EAP-TLS? >> >> >> On Thu, May 12, 2011 at 10:18 AM, Rene Hollan <rene.hol...@watchguard.com >> > wrote: >> >>> If you're looking to do authentication, freeradius will do EAP, and >>> talk to openssl for the TLS part (and an LDAP server for the actual >>> authentication and authorization). >>> ------------------------------ >>> >>> >> FreeRADIUS is too big for me. I just want to utilize OpenSSL to implement >> a EAP-TLS server. >> I want to openssl to handle the tls handshake and data encrypting and >> decryption, but I encapsulate the eap packet in my application. >> Can I use something like BIO pair or BIO mem to meet my need? >> >> Thanks for your great help. >> >> >> >
