AcornSSL

I’ve been familiarising myself with the AcornSSL module and was wondering about the decision to do the handshake in the send and recv functions resulting in the need for a fake ENOTCONN error being returned from these functions while the handshake is in progress. This makes the use of these functions slightly different to normal socket programming as I think ENOTCONN is not usually treated like an EWOULDBLOCK.

I was wondering why the ssl handshake isn’t done in connect and createsession. That way the connection is complete after either of these functions – createsession would work the same as connect with the socket already connected. Is there a reason not to do it that way?

I always use non blocking mode and connect like this – you don’t need to use select to confirm the connection is complete.

    while (ssl_connect(sock, (struct sockaddr*)&sin, sizeof(sin)) < 0)
    {
        if (errno == EINPROGRESS || errno == EALREADY) continue;
        
        if (errno == EISCONN) break;

        printf("Connect errno: %d\n", errno);
        return 0;
    }

createsession could work in a similar way like this for a non blocking socket – a blocking socket wouldn’t need the loop:

    while (sslhandle = ssl_createsession(sock, CreateSession_New), sslhandle < 0)
    {
        if (errno == EINPROGRESS) continue;
        printf("create session errno: %d\n", errno);
        return 0;
    }

After these functions have finished you know the secure connection is established and can do the rest of the socket programming in the normal way.

I think AcornSSL can easily be changed to do this leaving the handshake in send and recv for those who already expect this as the handshake function just returns after it has completed.

Any thoughts?

I’m having problems writing a server at the moment – just a test program running in a taskwindow. I keep stiffing the machine. It maybe something to do with certificates or something I don’t understand. Does anyone know if I should it be possible to write a server with the current AcornSSL module? I’m just doing normal sockets up to accept and then using ssl_createsession on the accepted socket.

Does anyone know if I should it be possible to write a server with the current AcornSSL module?

It’s impossible, AFAIK. E.g. there’s no way to set which certificate(s) the server should be using.

I was wondering why the ssl handshake isn’t done in connect and createsession. That way the connection is complete after either of these functions – createsession would work the same as connect with the socket already connected.

I agree. I’ve just been working on an SSL client app, and the same occurred to me.

If the socket is blocking, createsession shouldn’t return until it has created a session successfuly, or has failed to do so. If the socket is non-blocking, it should return either EWOULDBLOCK or EINPROGRESS (I don’t mind) until it has succeeded or failed.

So, the next question: if it were altered to behave that way, would it cause any compatibility issues?

As for the server functionality, I’d very much like to use that too. I did have a brief look at the mbedTLS code with a view to seeing if I could create a module (before the new AcornSSL module beta emerged), but I felt rather lost and gave up. Is there a plan to add server functionality to AcornSSL, or should we interested parties have a look and see if we can do it as a cooperative project?

I must add that I haven’t found docs for mbedTLS that I find adequate. If anyone can point me at something good – clearly, something that also documents server functionality is highly desired – I’d be grateful.

wondering about the decision to do the handshake in the send and recv functions resulting in the need for a fake ENOTCONN error being returned from these functions while the handshake is in progress. This makes the use of these functions slightly different to normal socket programming as I think ENOTCONN is not usually treated like an EWOULDBLOCK.

Cast your mind back to the heady days of dial-on-demand internet. The idea is to defer the dial until you’re in the (typically) multitasking bit. The URL module (via AcornHTTP)’s statemachine will keep trying the send() or recv() until no more ENOTCONN. I learned this from some document Stewart Brodie wrote, but am failing to put my hands on it just now – maybe it was in !Browse or something.

Also, not all connect()s are streams, so for UDP connect() doesn’t do much beyond a few mallocs and setting up some state, ie. the remote host isn’t contacted.

https://tls.mbed.org/api/ at least lists the other steps that we would need to get server functionality going, so we’d need to extend the AcornSSL API a bit.

I learned this from some document Stewart Brodie wrote, but am failing to put my hands on it just now – maybe it was in !Browse or something.

If you do manage to put your hands on Stuart Brodie’s document, then I would be very interested.

Or, in a copy of !Browse, if it is written in Basic.

I have a very old copy of Stuart Brodie’s Basic !HTTPserver – now updated and running on RO 5.24 (Pi).

I have, as yet, failed to get a non-blocking HTTP client running in BASIC (without using EasySockets and Aemulor – which do the job very well).

Is there a plan to add server functionality to AcornSSL, or should we interested parties have a look and see if we can do it as a cooperative project?

Judging by the lack of response when I asked last year, I think it’s safe to say that server functionality isn’t something that’s on ROOL’s todo list.

I’ve dabbled with a few different SSL libraries in the past, so I’m hoping that it won’t be too hard for me to get my head around it. But I’m not sure when I’ll be trying.

Cast your mind back to the heady days of dial-on-demand internet. The idea is to defer the dial until you’re in the (typically) multitasking bit. The URL module (via AcornHTTP)’s statemachine will keep trying the send() or recv() until no more ENOTCONN. I learned this from some document Stewart Brodie wrote, but am failing to put my hands on it just now – maybe it was in !Browse or something.

Not saying ssl_send() shouldn’t return ENOTCONN the question is what is the correct response to it. If I know the socket is connected before calling ssl_send() then ssl_send() returning ENOTCONN would tell me that it has disconnected and I may want to reconnect the connection. However if I don’t know ssl_connect() succeeded then I don’t know if the ENOTCONN is a dropped connection or a connection in progress. If it’s in progress I don’t want to recreate the connection, if it’s not I may.

Also, not all connect()s are streams, so for UDP connect() doesn’t do much beyond a few mallocs and setting up some state, ie. the remote host isn’t contacted.

You can determine the socket type inside ssl_connect().

Server functionality might be nice if it could be applied to more than just http – for instance could it handle “secure telnet”? I don’t know if SSH is “telnet via SSL” or some other sort of protocol.

However, in a midst of a long debate about what was our was not a “bad” certificate, God smited… Sorry, Steve R said: The person working on this bounty, for a fixed amount of minimum-wage, is understandably uncomfortable with the scope creep and I’m going to draw a line under this.
Which rather implied to me that any server side functionality was not part of the original plan and, likely due to the amount of work it would add, unlikely to turn up any time soon.

Or, in a copy of !Browse, if it is written in Basic.

WebsterXL is written in BASIC.
Everything else is written in a language that understands memory management needs to be flexible. ;-)

Browse is here: https://gitlab.riscosopen.org/RiscOS/Sources/Apps/Browse

Or if you want to attempt to browse it (ho ho) on NetSurf, here’s the old way: https://www.riscosopen.org/viewer/view/apache/RiscOS/Sources/Apps/Browse/

Server functionality might be nice if it could be applied to more than just http – for instance could it handle “secure telnet”? I don’t know if SSH is “telnet via SSL” or some other sort of protocol.

SSL is just “TCP with encryption”, so in theory it can be applied to any TCP-based protocol. However I don’t know if it’s directly compatible with SSH – it uses the same encryption methods under the hood, but a quick skim through the SSH spec suggests that the negotiation stage might be rather different.

WebsterXL is written in BASIC.

Does it come with full Source Code? Or, is it crunched to be unreadable? Or even compiled?

Or if you want to attempt to browse it (ho ho) on NetSurf, here’s the old way:

Thanks for the links, but that just goes straight over my head.

Does it come with full Source Code?

No, it is a commercial product (well, it was, it mostly seems to choke on today’s version of the web).

Or, is it crunched to be unreadable?

Crunched. Because, cone on, it’s a browser. Even in the easier HTML3.2 era, sensibly parsing HTML to render isn’t an easy task. There’s a lot of code.

that just goes straight over my head.

C’s like BASIC written in lower case with loads of semicolons everywhere, and a stressy compiler that will think the world is ending (and spit out hundreds of dire messages) should you forgot one single closing brace.

It’s quite comical really, I don’t know why compilers don’t just stop at the first ERROR and insist on ploughing on even though it has completely lost the plot.
It would be like if I was reading a good novel that suddenly and inexplicably switched to Swedish, and I then complained about not understanding Every. Single. Word. For. The. Entire. Rest. Of. The. Book. ;-)

Anyway, good luck finding a browser written in BASIC. As for as I’m aware, Webster is the only one. I did begin one called TinyBrowse, but have up when BASIC’s memory handling started to show deficiencies. It’s a shame DIM doesn’t have a FREE (akin to malloc()/free() in C).
Well, Basalt probably does, but this was circa 1996-1997. ;-)

Rick – it’s easy to forget that WXL had an assembler core which did things like memory assignment etc. IIRC strings were something that required that – BASIC imposed too many restrictions so WXL had its own assembler arbitrary length string handling functions.

One little snippet of information: the source code for AcornSSL shows that the module reads the root CA from InetDBase:CertData

I know there has been some discussion about certificate data being stored in different places (I’ve just deleted my copy of Resources.!CaCertificates), but this is another things that makes InetDBase:CertData a bit more official.

If anyone would like to take a working but static recipe, and improve upon it to use an updated date, try this Obey file:

AND Textile NOT to process the link

try replacing one of the double quotation marks by ampersand hash 34 semicolon
Example surrounded by code tags:

text "more text in quotes":http://this.is.not.a.link
again but with no code tags and the quotation marks so replaced

text "more text in quotes":http://this.is.not.a.link

same again but the quotation marks are quotation marks:

text more text in quotes

take your pick.

Does an @ sign work inline at the beginning and end of the code like this curl -o InetDBase:CertData -z "Oct 16 03:12:09 2019 GMT" <a href="https://curl.haxx.se/ca/cacert.pem">https://curl.haxx.se/ca/cacert.pem</a>

or ’bc. ’ before the code if you want it in a box work?

curl -o InetDBase:CertData -z "Oct 16 03:12:09 2019 GMT" <a href="https://curl.haxx.se/ca/cacert.pem">https://curl.haxx.se/ca/cacert.pem</a>

Edit:

apparently not. I think that used to work – never seen textile convert the text to html before.

As for as I’m aware, Webster is the only one

ArcWeb?

Let’s try converting the " and : characters to HTML entities, so " becomes " and : becomes :

curl -o InetDBase:CertData -z "Oct 16 03:12:09 2019 GMT" https://curl.haxx.se/ca/cacert.pem

Is that what you were trying to do?

I guess I’ll give it a go as well.

curl -o InetDBase:CertData -z "Oct 16 03:12:09 2019 GMT" https://curl.haxx.se/ca/cacert.pem

Nope, it always wants to linkify it. However using <notextile> tags means that the link works properly instead of breaking the code formatting (the above is formatted using <notextile><pre>…</pre></notextile>)

never seen textile convert the text to html before

Textile does a blind idiot translation of anything it thinks is a URL, regardless of whether or not it is appropriate. I’m sure a search for “hxxp” will reveal some of the cases where I’ve used that to fool it.

ArcWeb?

If I recall correctly, that was C.

Rick said

Everything else is written in a language that understands memory management needs to be flexible.

Andrew chided

WXL had its own assembler arbitrary length string handling functions

It would be churlish for me to point out C’s concept of strings at this point, so I won’t.

Meanwhile, Unicode always solves everything:

curl -o InetDBase:CertData -z “Oct 16 03:12:09 2019 GMT” ht‍tps://curl.haxx.se/ca/cacert.pem

curl -o InetDBase:CertData -z "Oct 16 03:12:09 2019 GMT" ht‍tps://curl.haxx.se/ca/cacert.pem

curl -o InetDBase:CertData -z "Oct 16 03:12:09 2019 GMT" ht‍tps://curl.haxx.se/ca/cacert.pem

Unicode always solves everything

Albeit not necessarily in the most elegant or efficient or easily-memorized manner… 8~)