Topic: Compatibility problem between wolfSSL - openssl (shutdown)

#
[Avatar]
2010-10-01 14:10:05 UTC
Hi! I would like to ask for help with the following problem: I need to reuse the transport layer (TCP socket, currently) doing several (SSL_new, SSL_connect/accept, sending data to and from, SSL_shutdown, SSL_free) sessions one after the other. If both client and server are wolfSSL only (or openssl only), it works flawlessly. But if the client is wolfSSL and the server is openssl (or vice versa), there are problems after the first session. Thank you in advance, Visibilis
#
touskaProject Admin

[Avatar]
2010-10-01 16:56:56 UTC
wolfSSL doesn't support reuse of the underlying connection in the exact same way that OpenSSL does through the use of SSL_shutdown() in two phases. That is something we can change. But I'm curious. If you know you're going to be reusing the underlying connection why not just leave it open in the first place?
#
visibilis

[Avatar]
2010-10-05 13:42:10 UTC
I need this, for example, because I would like to use an external session cache. The cache should be able to work with OpenSSL, as well. I would like to use the cache along the lines of i2d_SSL_SESSION and d2i_SSL_SESSION. One use case would be to start an ssl session, shut it down, and open a new ssl session using the serialized session from the external cache. All using one underlining connection.
#
touskaProject Admin

[Avatar]
2010-10-05 18:22:45 UTC
That's not going to be possible I think. A session cache is implementation specific, there's no standard for what and how to store it. That is, you can't use the same session cache with OpenSSL, gnuTLS, yaSSL etc... Further, wolfSSL doesn't support an external session cache since it's an embedded SSL library intended for embedded use. That's not say it won't in the future but we haven't had any requests for it yet.
#
visibilis

[Avatar]
2010-10-08 13:43:03 UTC
Thank you for your kind reply. Could you give me a hint what I should do to be able to reuse the underlying connection with wolfSSL? Will you implement it, if I ask you nicely? smile
#
touskaProject Admin

[Avatar]
2010-10-11 21:16:24 UTC
Use wolfSSL on both ends is one solution. Don't call SSL_shutdown on either end may be another. At some point we'll update wolfSSL to handle this situation but we're very busy with customers and potential customers at the moment so I can't give an estimate of when that will be.

Share