TCP/IP bounty beta release
Pages: 1 2 3 4 5 6 7 8 9 10 11
Steve Revill (20) 1361 posts |
For anyone itching to get a preview of progress on our TCP/IP bounty development, we’re pleased to release a beta version for community testing following a successful programme of limited-release alpha testing. You can grab a copy here and make sure you carefully read the ReadMe.txt before getting started with a bit of testing! |
Chris Mahoney (1684) 2165 posts |
This looks interesting! I’ll definitely be having a play when I can; I have a couple of servers I can try it with… so now I just need some free time to actually do it :) |
Rick Murray (539) 13806 posts |
Psst! Manga works with that (as of version 0.30). ;-) |
Chris Mahoney (1684) 2165 posts |
OK, question time. I’m trying to connect to a self-signed server on my local network. When using the HTTP_Client test app this displays a message about the security check failing and asks whether I want to continue. If I proceed then it works as expected. However, in my Wimp app, which uses the URL and AcornHTTP modules, it just hangs for 30 seconds before failing with “Unable to connect to remote host”. The ReadMe file states:
Is this expected to work when called via URL/AcornHTTP or is it only if using the AcornSSL SWIs directly? |
Colin Ferris (399) 1809 posts |
Are there any progs that use this SSL Module? Is there a copy of !Phoenix that is HTTPS happy? Are there any advantages over using ‘SecureSockets’? [Edit 1] Couldn’t the Building of the Sockaddr – be modified by a couple of bytes – to be able to use sockaddr%!04 [Edit 2] |
Colin (478) 2433 posts |
Regarding the AcornSSL documentation: AcornSSL_Creat says bits 8-31 is reserved for future use but goes on to say in the notes that setting bit 31 will create a secure socket(PF_INET,SOCK_STREAM,0) why is that needed instead of just setting r0,r1,r2 to PF_INET,SOCK_STREAM,0 is it something different? Will AcornSSL_Recv support more flags than MSG_PEEK eg MSG_DONTWAIT and MSG_OOB? Will AcornSSL_Send support any flags eg MSG_DONTWAIT and MSG_OOB? The AcornSSL_Send swi doesn’t have a flags register so I suppose a new swi would be needed? Will there be sendto and recvfrom swi’s? |
Rick Murray (539) 13806 posts |
Manga. Will find and use AcornSSL by preference.
Bad news good news. Bad news – it’s a little slower If you’re asking about advantages, I suggest you do some reading up on crypto, vulnerabilities, and issues such as spoofing/man-in-the-middle. Then you’ll have your answer. |
Chris Mahoney (1684) 2165 posts |
And the source isn’t missing…
If I understand things correctly then you get this “for free” if you use the URL module instead of (or in addition to?) talking to AcornHTTP directly. It appears to work in my limited testing. |
Rick Murray (539) 13806 posts |
I don’t think they’ve made v1.05 source available (it is supposed to be a commercial product), but SecureSockets of some flavour is at http://www.armini.co.uk/SSLsource.zip |
Chris Mahoney (1684) 2165 posts |
That’s 1.03. Andrew couldn’t find 1.04, and 1.05 is a binary-patched 1.04 which therefore wasn’t built from source. |
Rick Murray (539) 13806 posts |
A cleverer person than me might be able to work out what’s different between 1.03 and 1.04 (especially seeing as WebsterXL doesn’t much like >1.03) to modify the source. As 1.05 was binary patched, there should be a fairly clear set of changes between it and 1.04… …but with the arrival of AcornSSL… PS: Jeez, don’t people keep change logs? |
Jeffrey Lee (213) 6048 posts |
A few comments from me:
Also I’m hoping that it’ll be relatively easy to drop in a TLS 1.3-supporting version of mbedTLS once that arrives :-) |
Chris Mahoney (1684) 2165 posts |
As far as I’m aware, the only change in 1.05 was to remove a page zero access, which wasn’t actually present in 1.03. A reverse-engineered 1.04 probably wouldn’t have the problem in the first place! But we’re getting off topic here :)
Indeed. It appears that you can manually add to the “CertData” file but I haven’t tested it, plus it’d get blown away with each new version of the Internet app. |
Colin Ferris (399) 1809 posts |
I have got WebsterXL working with SSockets v1.05 with Rools site and log in the Jaspp site. The fetching code is in !WebFetch – if I can understand the AcornSSL module doc’s – converting it to use AcornSSL looks possible. The one that needs mainly updating is ‘!Hermes’. And !Phoenix – if someone likes ‘C’. [edit 1] Where is the ‘Cabundle’ home? |
Rick Murray (539) 13806 posts |
A data file somewhere within !Internet. I saw it and wondered why it wasn’t using the existing setup. Different file formats perhaps? |
Sprow (202) 1155 posts |
URL_ReadData, which ultimately calls HTTP_ReadData, looks to be modelled on our good friend OS_GBPB. In other words, you ask for 500 bytes and you’ll get up to 500 bytes in reply, but maybe less. A typical Wimp app structure is outlined in the URL spec docs. Since the Wimp is cooperative multitasking, you need to poll the Wimp around the URL_ReadData calls otherwise the task that wants to show the certificate dialogue wont get a look in. Is URL_ReadData returning zero bytes (or, maybe an error?). What do you do in that case? Is there any Wimp polling going on in your app? |
Rick Murray (539) 13806 posts |
It should ideally return a specific error code. Otherwise how does one tell between “stalled because dialogue on screen” and “stalled so invoke timeout”? To be honest I find it odd that one “connects” and then keeps hitting the send function until it works or gives a proper error (referring to low level AcornSSL here). Wouldn’t it make more sense to do it like SecureSockets with a connection poll and that is when establishing the session happens and when problems can be resolved? Keep it logically apart – getting the session running and transferring data within the session…? |
Dave Higton (1515) 3497 posts |
I’ve downloaded Beta1 and I’m trying the HTTP_Client demo, but it falls at the first hurdle with “unrecoverable error in run time system: free failed”, which must be in SWI XAcornSSL_Creat in FNsocket(). Anyone else tried it? Anyone had more success? Is there anything else I should have done prior to running it other than double-click the AcornSSL module? |
Rick Murray (539) 13806 posts |
I’ve not run the latest version (not at the computer today) so I can’t comment, however there should be no such error especially when calling an X SWI. That error is typical of C when trying to release a bogus pointer (null, already freed, corrupted, etc etc). One thing, though – have you downloaded a very recent copy of Harddisc4 to pull out the CAbundle file from within Boot, Resources, Internet (data? files? it’s in there somewhere) ? Without that, AcornSSL won’t work correctly… |
Dave Higton (1515) 3497 posts |
Thanks, Rick – lack of the CertData file was the problem. So I can report an error that shouldn’t happen, and the bogus error message that it generates… |
Chris Mahoney (1684) 2165 posts |
Ahh, yes, I’ve probably forgotten to do this. I don’t have the code on hand, but it’d make sense (and for non-HTTPS use I wouldn’t have noticed the problem because the files I’m getting are only a few kilobytes and therefore wouldn’t normally stall the desktop). It’s also blatantly obvious in hindsight! Thanks for the tip; I’ll give it a go tonight :) Edit: Confirmed working (for certain definitions of “working”; I don’t have it pulling data back yet, but it is at least displaying the confirmation prompt now). |
Frank de Bruijn (160) 228 posts |
Seems to work OK with AntiSpam. Suggestion: don’t silently ignore options/flags you don’t support. It took me a while to realise there is no way to make the transfer calls non-blocking, even though the Ioctl SWI accepts that setting without protest. I haven’t tried to invoke certificate errors yet, but the first of Jeffrey’s points should definitely have priority. I’m OK with using it myself, but I think distributing a version of AntiSpam which uses a module that could block a non-interactive run would be a bad idea. Oh, and fix the AcornSSL_Version SWI. I don’t believe 100*version should result in 10000. |
Rick Murray (539) 13806 posts |
Wait – it doesn’t support non-blocking?!?!? Actually, I wouldn’t know … I just replaced the SocketLib calls with AcornSSL equivalents “and it just worked”. The code is written on the assumption that it is a non-blocking connection, and I suppose if it blocks then it would simply always return with data (and never EWOULDBLOCK). I hope non-blocking is “to come” because it would be, well, weird otherwise. Especially given RISC OS’ multitasking doesn’t exactly lend itself to coping with things stalling. :-)
It’s probably already been done and held in the code as “100”, and then it’s multiplied by 100 again to end up with 10,000! Now that the module has been “released” into the wild, it is imperative to increment this number, so the next will be 101, and so on. |
Frank de Bruijn (160) 228 posts |
Yup. That would be the logical thing to do. Or make it version 100.01… Another thing, does anyone have any info about the *_Stat SWI? What exactly does it return? The AcornSSL doc says the AcornSSL_Stat’s use is analogous to Socket_Stat, but I can’t seem to find any info on that. There’s nothing useful in the InetSocket StrongHelp manual (v1.06). |
Colin (478) 2433 posts |
It’s in PRM5a it does |
Pages: 1 2 3 4 5 6 7 8 9 10 11