AcornSSL server functionality
Colin (478) 2433 posts |
yes b10 there’s CreateSession_New and CreateSession_ReuseAuth at the moment.
? Isn’t it better for the module to do the certification/handshaking for the user just as a client ssl handle does the handshaking. I don’t see the need for the user to have to get involved if they don’t need to.
AcornSSL_Creat is the equivalent to the normal socket() function. Setting a bit telling the function that to create a client socket for use with Accept means you can use the registers for anything its just like giving a reason code. It makes AcornSSL_Creat a one stop shop for creating ssl_handles and you don’t have to explain about it being an empty ssl_handle which needs initialising with other processes.
Presumably AcornSSL_Accept reads the certificate data with socket read and it needs a buffer to do that. You don’t explain what the buffer is for, how big it has to be and whether it can be on the stack or … you get the idea I’m guessing. If you just need a 1/2k buffer to download the cert – don’t know how big they are – then it’s easy enough to just create a suitable buffer in the server ssl_handle context during bind and don’t burden the user with guessing what to do. |
Colin (478) 2433 posts |
Your Docs say AcornSSL_Accept returns EINPROGRESS |
Colin (478) 2433 posts |
Thinking about it more I don’t think you should expose the socket with AcornSSL_GetSocket you should add the necessary swis instead. eg AcornSSL_Listen and I don’t know how you would set non-blocking. I created a socket first then set it to non blocking then used AcornSSL_CreateSession instead of AcornSSL_Creat in Ftpc. So I suppose a AcornSSL_IoCtl needs adding. I always use non-blocking but there is a taskwindow blocking version of sockets which you set with socketioctl I think. You may be able to use a blocking socket with select() not sure I’d have to experiment. |
Dave Higton (1515) 3497 posts |
The point of exposing the socket is to be able to use SocketWatch. |
Dave Higton (1515) 3497 posts |
Colin: there is a good reason to use CertOp to create cert/key contexts: it’s usual for browsers to open multiple sockets. My way, the only thing the server app needs to maintain is two 32-bit pointers. Your way, the app has to maintain the entire cert and key files in memory, and ask the module to process them using the read operations (internally of course), every time a new socket is opened. |
Dave Higton (1515) 3497 posts |
There is already an AcornSSL_Ioctl SWI. |
Dave Higton (1515) 3497 posts |
Oops again, I’ll fix the docs, thanks! |
Colin (478) 2433 posts |
Regarding listen() you don’t need that as bind does the listen.
So there is – can’t read. So is there a need for a separate key and certificate contexts? Could you just have:
and AcornSSL_Create becomes
|
Dave Higton (1515) 3497 posts |
Yes, but would it help? |
Dave Higton (1515) 3497 posts |
Re. EWOULDBLOCK or EINPROGRESS for AcornSSL_Accept: thinking about it again, EINPROGRESS makes more sense. I’ll update the code and make sure the docs match. |
David Feugey (2125) 2709 posts |
Or the excellent HTTP-Server from Thomas? |
Colin (478) 2433 posts |
Yes it reduces complexity I change
to
|
Colin (478) 2433 posts |
Not really EWOULDBLOCK is expected from accept people may write EWOULDBLOCK without thinking. |
Dave Higton (1515) 3497 posts |
There is one thing about reading certificates: it’s possible to load multiple certificates in separate operations. Having created a context, you can call the cert read operation more than once, and it will add certs in a chain. How realistic it is to benefit from that functionality, I don’t know. There’s no concept of chaining keys, there can only be one. If you call read key more than once, each subsequent operation will just replace the last one. In terms of the name, the mbedTLS operation is called parse in both cases. Maybe that would be a better name than CERTOP_READ. |
Steve Pampling (1551) 8155 posts |
WebJames – GPL source Might be time to look elsewhere. |
Dave Higton (1515) 3497 posts |
GPL for an app is no problem whatsoever. |
Dave Higton (1515) 3497 posts |
I should add that it is entirely possible to do a CertOp to parse a file, rather than require it to be loaded into memory and parsed from there. It’s what happens when loading InetDbase:CertData for client sockets, of course. I’ll look at adding CertOp function codes for those operations. |
Colin (478) 2433 posts |
Browsers use client sockets and we already have client sockets working – AcornSSL does all the cert loading/handshaking stuff For Ftpc I added CreateSession_ReuseAuth to AcornSSL_CreateSession. The idea is that the first socket that you open on the server does the full handshake which may result in a window popping up from acornssl if there is a problem. When another socket is opened on the server the new sessions are created with the ReuseAuth flag/cmd which copies the authorised session from an existing ssl_handle and uses that. Unfortunately it only works with AcornSSL_CreateSession as I didn’t have a program to test with AcornSSL_Creat but I don’t see a problem. I am assuming browsers would work like that.
I forgot the flags aren’t actually flags they are reason codes – though I suppose it is possible for some bits to be reserved as flags in the future. So the next reason code is 2
Presumably you want to bind the server to a specific certificate – I’d love to see your code to see how you have done this – aren’t the certs already loaded by acornssl good enough – I don’t know if you can select a specific cert from the certs in InetDBase:Certdata. In any case you are not going to have many instances of server sockets like you are client sockets in a browser so you should be able to hide the cert stuff like client sockets do. If you do expose x509_crt.h functions it would be useful to use the similar names so the CertOp reason code for mbedtls_x509_crt_parse is AcornSSL_x509CrtParse that way it links to the mbedtls code. The reason I’m commenting on this is AcornSSL doesn’t work like mbedtls it does not just expose mbedtls functions – which is a shame as far more than the x509 stuff is useful. |
Rick Murray (539) 13806 posts |
I’m not really following the who-has-what-certificate, so I’ll just pose one question. Assuming we have a native server (WebJames or otherwise), how would it be set up so that a browser can access it without panicking? I’m sure you’ve seen Firefox’s reaction to certificates it doesn’t trust… |
Dave Higton (1515) 3497 posts |
If you have a Linux box, you can get free certs from Let’s Encrypt. That’s where I got mine from. |
Dave Higton (1515) 3497 posts |
You can’t auto-renew them unless you keep the box on, but you can set yourself a reminder within 90 days (mine is in Alarm) and a one line command should renew the certs and key. |
Dave Higton (1515) 3497 posts |
Of course the cert has to match the domain, so you have to have your own domain. I have a dynamic DNS domain at home, and, very fortunately, my router takes care of keeping it up to date when the IP address changes. The domain comes free from No-IP.com and I have to manually confirm it every 30 days when they email me the reminder. Minor PITA but it’s free. |
Alan Adams (2486) 1147 posts |
Sorry if this is a bit off=topic, but there is a connection. I will (I hope) be running a sporting competition later this year, with all the scoring done on RISC OS. In order to avoid people gathering to see the results I’ve set up Webjames on the LAN to provide a web-based results system. The plan is to use a wireless access point to enable people to see the results on their phones. In this situation – LAN access, not Internet – does anyone know whether the recent browser changes esp. Firefox, will interfere with this? If so, is there any prospect of Webjames being able to use HTTPS? It may be possible to push the results to a PC. Is there a web server there which can run HTTPS locally? I use Wampserver for development. Is that a possibility? |
Chris Gransden (337) 1202 posts |
One way of doing it is to set up a reverse proxy using e.g. Apache web server running on a non RISC OS machine. All the https requests will then be sent to webjames using http. That way you can keep everything the same. |
Steve Pampling (1551) 8155 posts |
You don’t have to use HTTPS. There is a feature you can turn on, as a user option, that enables a primary choice of HTTPS, but even that offers to connect on the HTTP port after a delay. Basically DavidS was dealing with a machine that had the option turned on and assumed that was all the current version of Firefox ONLY did HTTPS, which is not true. |