AcornSSL server functionality

yes b10 there’s CreateSession_New and CreateSession_ReuseAuth at the moment.

Yes, but it looks a bit uncomfortable to me.

? Isn’t it better for the module to do the certification/handshaking for the user just as a client ssl handle does the handshaking. I don’t see the need for the user to have to get involved if they don’t need to.

Acornssl_Creat

AcornSSL_Creat is the equivalent to the normal socket() function. Setting a bit telling the function that to create a client socket for use with Accept means you can use the registers for anything its just like giving a reason code.

It makes AcornSSL_Creat a one stop shop for creating ssl_handles and you don’t have to explain about it being an empty ssl_handle which needs initialising with other processes.

AcornSSL_Accept

Presumably AcornSSL_Accept reads the certificate data with socket read and it needs a buffer to do that. You don’t explain what the buffer is for, how big it has to be and whether it can be on the stack or … you get the idea I’m guessing.

If you just need a 1/2k buffer to download the cert – don’t know how big they are – then it’s easy enough to just create a suitable buffer in the server ssl_handle context during bind and don’t burden the user with guessing what to do.

which I’m translating to EWOULDBLOCK

Your Docs say AcornSSL_Accept returns EINPROGRESS

Thinking about it more I don’t think you should expose the socket with AcornSSL_GetSocket you should add the necessary swis instead. eg AcornSSL_Listen and I don’t know how you would set non-blocking. I created a socket first then set it to non blocking then used AcornSSL_CreateSession instead of AcornSSL_Creat in Ftpc. So I suppose a AcornSSL_IoCtl needs adding.

I always use non-blocking but there is a taskwindow blocking version of sockets which you set with socketioctl I think. You may be able to use a blocking socket with select() not sure I’d have to experiment.

The point of exposing the socket is to be able to use SocketWatch.

Colin: there is a good reason to use CertOp to create cert/key contexts: it’s usual for browsers to open multiple sockets. My way, the only thing the server app needs to maintain is two 32-bit pointers. Your way, the app has to maintain the entire cert and key files in memory, and ask the module to process them using the read operations (internally of course), every time a new socket is opened.

So I suppose a AcornSSL_IoCtl needs adding.

There is already an AcornSSL_Ioctl SWI.

Your Docs say AcornSSL_Accept returns EINPROGRESS

Oops again, I’ll fix the docs, thanks!

Regarding listen() you don’t need that as bind does the listen.

There is already an AcornSSL_Ioctl SWI.

So there is – can’t read.

So is there a need for a separate key and certificate contexts? Could you just have:

cert_handle = ssl_cert_create(char* certdata, int certdatasize, char* keydata, int keydatasize);
    ssl_cert_free(cert_handle);

and AcornSSL_Create becomes

ssl_handle =  ssl_create(CreateSession_NewServerAccept, certhandle, 0);

Could you just have:

Yes, but would it help?

Re. EWOULDBLOCK or EINPROGRESS for AcornSSL_Accept: thinking about it again, EINPROGRESS makes more sense. I’ll update the code and make sure the docs match.

It’s interesting, for sure. The question is, however, how to get WebJames to use it…or something to replace WebJames that can?

Or the excellent HTTP-Server from Thomas?
http://thomas-milius-stade.dnshome.de/English/Computer/index.htm

Yes it reduces complexity

I change

 ssl_handle=ssl_create()
cert_handle=ssl_cert_create_context()
ssl_cert_load_data() - prefer set data myself load made me think of loading a file
key_handle = ssl_key_create_context()
ssl_key_load_data()
ssl_certify();

ssl_close();
ssl_cert_free();
ssl_key_free();

to

cert_handle=ssl_cert_create()
ssl_handle=ssl_create()

ssl_close();
ssl_cert_free();

EINPROGRESS makes more sense.

Not really EWOULDBLOCK is expected from accept people may write EWOULDBLOCK without thinking.

There is one thing about reading certificates: it’s possible to load multiple certificates in separate operations. Having created a context, you can call the cert read operation more than once, and it will add certs in a chain.

How realistic it is to benefit from that functionality, I don’t know.

There’s no concept of chaining keys, there can only be one. If you call read key more than once, each subsequent operation will just replace the last one.

In terms of the name, the mbedTLS operation is called parse in both cases. Maybe that would be a better name than CERTOP_READ.

Or the excellent HTTP-Server from Thomas?

WebJames – GPL source
HTTP-Server – no source

Might be time to look elsewhere.

Might be time to look elsewhere.

GPL for an app is no problem whatsoever.

I should add that it is entirely possible to do a CertOp to parse a file, rather than require it to be loaded into memory and parsed from there. It’s what happens when loading InetDbase:CertData for client sockets, of course.

I’ll look at adding CertOp function codes for those operations.

there is a good reason to use CertOp to create cert/key contexts: it’s usual for browsers to open multiple sockets.

Browsers use client sockets and we already have client sockets working – AcornSSL does all the cert loading/handshaking stuff

For Ftpc I added CreateSession_ReuseAuth to AcornSSL_CreateSession. The idea is that the first socket that you open on the server does the full handshake which may result in a window popping up from acornssl if there is a problem. When another socket is opened on the server the new sessions are created with the ReuseAuth flag/cmd which copies the authorised session from an existing ssl_handle and uses that.

Unfortunately it only works with AcornSSL_CreateSession as I didn’t have a program to test with AcornSSL_Creat but I don’t see a problem.

I am assuming browsers would work like that.

I’ve just been updating the AcornSSL module so as to require just one flag bit when creating an empty server session. I thought the next available bit was b10

I forgot the flags aren’t actually flags they are reason codes – though I suppose it is possible for some bits to be reserved as flags in the future. So the next reason code is 2

There is one thing about reading certificates:

Presumably you want to bind the server to a specific certificate – I’d love to see your code to see how you have done this – aren’t the certs already loaded by acornssl good enough – I don’t know if you can select a specific cert from the certs in InetDBase:Certdata. In any case you are not going to have many instances of server sockets like you are client sockets in a browser so you should be able to hide the cert stuff like client sockets do.

If you do expose x509_crt.h functions it would be useful to use the similar names so the CertOp reason code for mbedtls_x509_crt_parse is AcornSSL_x509CrtParse that way it links to the mbedtls code.

The reason I’m commenting on this is AcornSSL doesn’t work like mbedtls it does not just expose mbedtls functions – which is a shame as far more than the x509 stuff is useful.

I’m not really following the who-has-what-certificate, so I’ll just pose one question.

Assuming we have a native server (WebJames or otherwise), how would it be set up so that a browser can access it without panicking?

I’m sure you’ve seen Firefox’s reaction to certificates it doesn’t trust…

If you have a Linux box, you can get free certs from Let’s Encrypt. That’s where I got mine from.

You can’t auto-renew them unless you keep the box on, but you can set yourself a reminder within 90 days (mine is in Alarm) and a one line command should renew the certs and key.

Of course the cert has to match the domain, so you have to have your own domain. I have a dynamic DNS domain at home, and, very fortunately, my router takes care of keeping it up to date when the IP address changes. The domain comes free from No-IP.com and I have to manually confirm it every 30 days when they email me the reminder. Minor PITA but it’s free.

Sorry if this is a bit off=topic, but there is a connection. I will (I hope) be running a sporting competition later this year, with all the scoring done on RISC OS. In order to avoid people gathering to see the results I’ve set up Webjames on the LAN to provide a web-based results system. The plan is to use a wireless access point to enable people to see the results on their phones.

In this situation – LAN access, not Internet – does anyone know whether the recent browser changes esp. Firefox, will interfere with this? If so, is there any prospect of Webjames being able to use HTTPS?

It may be possible to push the results to a PC. Is there a web server there which can run HTTPS locally? I use Wampserver for development. Is that a possibility?

It may be possible to push the results to a PC. Is there a web server there which can run HTTPS locally? I use Wampserver for development. Is that a possibility?

One way of doing it is to set up a reverse proxy using e.g. Apache web server running on a non RISC OS machine. All the https requests will then be sent to webjames using http. That way you can keep everything the same.

In this situation – LAN access, not Internet – does anyone know whether the recent browser changes esp. Firefox, will interfere with this? If so, is there any prospect of Webjames being able to use HTTPS?

You don’t have to use HTTPS.
Your alarm may have been caused by the incorrect suggestion that Firefox is doing HTTPS only as a default – it is not.

There is a feature you can turn on, as a user option, that enables a primary choice of HTTPS, but even that offers to connect on the HTTP port after a delay.

Basically DavidS was dealing with a machine that had the option turned on and assumed that was all the current version of Firefox ONLY did HTTPS, which is not true.