You are viewing a plain text version of this content. The canonical link for it is here.
Posted to proton@qpid.apache.org by "Andrew Stitcher (JIRA)" <ji...@apache.org> on 2016/01/12 20:02:39 UTC
[jira] [Commented] (PROTON-855) Add axTLS (embedded SSL) support to
proton-c
[ https://issues.apache.org/jira/browse/PROTON-855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15094517#comment-15094517 ]
Andrew Stitcher commented on PROTON-855:
----------------------------------------
This seems implemented a little strangely:
AxTLS essentially replaces the lower level socket send/recv so when using it in effect you don't have a proton SSL/TLS layer at all.
The Proton layer design assumes that each layer is an engine that you can feed bytes into at the bottom and take transformed bytes out of the top for reading (and vice versa for writing). AXTLS gives you no access to bytes in/out the bottom (afaict) and goes straight to the sockets API itself. If you use an API like this you can't fit it into the layer design.
I think the mixed design you have here would work extremely badly with the server side protocol auto detection code which sets up the layers automatically.
Using an SSL/TLS API such as this is possible, but I don't think the way to do it is quite like this. You would need to do all of the SSL work in the io layer and proton would be entirely unawar that there was any encryption happening.
> Add axTLS (embedded SSL) support to proton-c
> --------------------------------------------
>
> Key: PROTON-855
> URL: https://issues.apache.org/jira/browse/PROTON-855
> Project: Qpid Proton
> Issue Type: New Feature
> Components: proton-c
> Affects Versions: 0.9, 0.9.1, 0.10
> Environment: Platform independent
> Reporter: Tomasz Nowicki
> Assignee: Andrew Stitcher
> Labels: features
> Fix For: 0.12.0
>
> Attachments: axtls.c, axtls_proton_example.c, qpidproton-AXTLS.patch, ssl_io.h
>
> Original Estimate: 0h
> Remaining Estimate: 0h
>
> The axTLS embedded SSL project is a highly configurable client/server
> TLSv1 SSL library designed for platforms with small memory requirements.
> It comes with a small HTTP/HTTPS server and additional test tools.
> axTLS It's free! (BSD style licensing)
> http://axtls.sourceforge.net/
> axTLS integration with proton is done on socket layer(posix layer). On the other hand OpenSSL integration with proton is done on the transport layer. To use both solutions we had to add two methods pn_ssl_recv i pn_ssl_send (daclared in include/ssl_io.h) which in openssl mode, without crypting, invoke native proton "pn_send" and "pn_receive (io.c)". In axTLS mode, those methods are replaced with proper axtls comunication methods. Those are defined in openssl.c, ssl_stub.c, axtls.c and located in src/ssl.
> Methods pn_ssl_recv and pn_ssl_send replace original pn_send and pn_recv used in pni_connection_writable(pn_selectable_t *sel), pni_connection_readable(pn_selectable_t *sel) (connection.c).
> Moreover we introduced new file axtls.c located in src/ssl. The file is an equivalent of openssl.c, implementing base ssl methods: PN_EXTERN pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode);
> PN_EXTERN void pn_ssl_domain_free( pn_ssl_domain_t *domain ); etc
> Example of axTLS integration with ex ActiveMQ atatched(axtls_proton_example.c):
> It's based on
> http://mail-archives.us.apache.org/mod_mbox/qpid-proton/201501.mbox/%3CCACL1BnC5JerbNikd_4fgkJqh13H5NL_2z-SSZP3Jg2t+ywAu2A@mail.gmail.com%3E
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)