AcornSSL module

It has become apparent that the AcornSSL module, most welcome as it is, still needs more work. Ast the “FTPc 1.55” thread in Announcements shows, AcornSSL doesn’t cope with some of the extensions that some servers expect.

I got hold of the source code for AcornSSL and built it. Having checked that my newly built copy works the same as ROOL’s distro, I then built a version that doesn’t send the request for an FRC 5077 session ticket. Wiresalmon/Wireshark show that the extension isn’t sent, but the PureFTPd server that I need for access to my web site still rejects the connection in the same way.

Not supporting (and not claiming to support) RFC 5077 never was going to be the proper solution to the problem. We have to work out what a proper solution would be. This is not confined to the module; comments in the code say that supporting extensions requires the calling app’s cooperation. This means we need to change the API.

It is clearly necessary to pass extension data into and out of the module. As an example, supporting RFC 5077 session tickets requires that the module sends an empty request, that it passes the ticket and the expiry information back to the calling app, and then the calling app must store that information and pass it to the module (if still valid) when it wants to open another session.

It’s not clear to me whether it is possible to not request a session ticket, according to the app’s choice. ATM I can only see support or no support at compile time of the module. But I have a lot to learn…

There are more extensions. I don’t yet know anything about them.

Although I’m naively keen to have a go, I have to make it clear that I know nothing about TLS; I am a complete beginner. I’m also not a great C programmer, and I have trouble reading other people’s C; I easily get lost in the call trees. So, unquestionably, I’m not going to be able to fix this on my own.

One thing is for sure: we have to pass extension data back and forth. How? My first suggestion is to have an area of memory; put a magic word (e.g. “EXTN”) in the first word, a length (of the remainder) in the second word, and then extension data in the form of type, length and data, with a terminating word (0?) after the last item. Pass a pointer to this in R3 when creating a secure session or upgrading a socket to secure.

Knowledge, help and suggestions welcome!

There’s more than RFC5077. RFC5246 has another scheme for reuse.

Anyway I have FTPc working – sort of. I extended ssl_createsession with a new opcode CreateSession_NewReuseCert and an additional parameter for use with CreateSession_NewReuseCert which is the ssl descriptor of the working socket you want to copy the session from – in ftp you copy from the control socket.

The advantage of doing it this way is I can use the mbedtls library in AcornSSL. I did try making the required MbedTLS functions available via swis but that got messy very quickly – but it did work. AcornSSL is going to suffer the same problem as the usbdriver, without access to the library nuances are difficult to work around.

Unfortunately it only works at the moment if the authmode is configured to MBEDTLS_SSL_VERIFY_NONE, but I’m getting nearer.

Can anyone point me at v1.06 of the AcornSSL module? I downloaded the nightly HardDisc4 zip from this website, but I can only find v1.05 in !System.350.Modules.Network.URL.

but I can only find v1.05 in !System.350.Modules.Network.URL.

That’s where 1.06 is. It’s in the current Nightly beta HardDisc4 (self-extracting) download.

Can anyone point me at v1.06 of the AcornSSL module? I downloaded the nightly HardDisc4 zip from this website, but I can only find v1.05 in !System.350.Modules.Network.URL

That shows as v1.06 here. Are you certain you are looking at the latest HD4 download and you have done a Merge for the !Boot to make the version installed that very latest?

Gremlins at work here. Hard hats on and everything. Not sure how it happened, but yes, I see it now. Perhaps I was reading the “RMA” column in Verma instead of the “Version” column. It’s the only thing I can think of. That or gremlins. Anyway, sorted. Thanks, guys.