[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Problems with SSL/TLS
From: |
address@hidden |
Subject: |
Re: [libmicrohttpd] Problems with SSL/TLS |
Date: |
Tue, 05 Jan 2010 09:14:39 -0500 |
https://ng.gnunet.org/svn/libmicrohttpd/src/examples/https_fileserver_example.c
https://ng.gnunet.org/svn/libmicrohttpd/src/testcurl/https/tls_authentication_test.c
you can run the tls_authentication_test with 'make check'
On Mon, 2010-01-04 at 11:27 -0500, Jesse Anderton wrote:
> I'm still struggling with this. I can't get the code example
> from
> http://www.gnu.org/software/libmicrohttpd/tutorial.html#tlsauthentication_002ec
> working with either MHD_USE_SELECT_INTERNALLY or
> MHD_USE_THREAD_PER_CONNECTION: the program compiles and launches, but any
> browser I try to connect with waits indefinitely. If I kill the server the
> browsers immediately give up, so I know they have an open socket to the
> server.
>
>
> Does anybody have a working TLS example I could start from? I'm
> almost out of time to add TLS to my web server, but I'd strongly
> prefer to use libmicrohttpd's built in support instead of
> re-implementing the feature in my own custom select handler.
>
>
> Thanks for your time,
>
>
> Jesse
>
> On Thu, Dec 24, 2009 at 12:16 PM, Jesse Anderton
> <address@hidden> wrote:
> Christian,
>
>
> I decided to start with the example in the tutorial
> at
> http://www.gnu.org/software/libmicrohttpd/tutorial.html#tlsauthentication_002ec
> and incrementally change it until the code is set up the way I need it for
> my program. To my surprise, the tutorial itself didn't work - Chrome reports:
>
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): Unknown error
>
>
> IE simply says it couldn't load the page.
>
>
> This makes me think that my problem is more likely caused by,
> say, the version of libgcrypt I'm using. I get the same error
> in both Linux and Solaris, so it seems unlikely to be one of
> the other system libraries I'm linking to.
>
>
> Any idea which version of libgcrypt the code was tested with?
>
>
> Thanks,
>
>
> Jesse Anderton
>
>
> On Wed, Dec 23, 2009 at 1:42 PM, Christian Grothoff
> <address@hidden> wrote:
> Dear Jesse,
>
> poll support was added after 0.4.4 (see ChangeLog).
> The version constant in
> SVN HEAD will be updated once we make the next release
> to allow for an easy
> test for this feature.
>
> And no, you do not need MHD_USE_POLL for
> MHD_USE_SELECT_INTERNALLY.
>
> Best,
>
> Christian
>
>
> On Wednesday 23 December 2009 15:27:01 Jesse Anderton
> wrote:
> > Christian,
> >
> > Thanks for your advice! I tried replacing
> MHD_USE_SELECT_INTERNALLY
> > with MHD_USE_THREAD_PER_CONNECTION and it failed
> with a different error.
> > Do I need to use this in conjunction with
> MHD_USE_POLL? If so, do you
> > know whether this option is only available in the
> development version of
> > libmicrohttpd, or whether it's an option for
> configure to find? It isn't
> > defined in my copy of microhttpd.h, but my copy has
> the same value for
> > MHD_VERSION as the version in the documentation at
> >
>
> http://www.gnu.org/software/libmicrohttpd/doxygen/dc/d0c/microhttpd_8h_sour
> > ce.html (which does include MHD_USE_POLL). That is,
> both contain the line:
> >
> > #define MHD_VERSION 0x00040400
> >
> >
> > Thanks again,
> >
> > Jesse Anderton
> >
> > On Tue, Dec 22, 2009 at 9:56 AM, Christian Grothoff
> >
> > <address@hidden>wrote:
> > > SSL support is known to be not playing nicely with
> select -- this is
> > > largely
> > > an issue with gnuTLS and its API. Until this is
> fixed, try using the
> > > thread-
> > > per-connection mode and most likely it'll work.
> > >
> > > Best,
> > >
> > > Christian
> > >
> > > On Monday 21 December 2009 19:34:21 Jesse Anderton
> wrote:
> > > > I have just started using libmicrohttpd, and
> can't seem to get the SSL
> > > > support working. It may contribute to the
> problem that the library is
> > > > not retrying gnutls_handshake() when it returns
> GNUTLS_E_AGAIN, as
> > > > suggested in the documentation at
> > >
> > >
>
> http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#g
> > >nu
> > >
> > > > tls_005fhandshake, but it seems likely that I'm
> making a mistake
> > >
> > > somewhere.
> > >
> > > > I am using the following library versions:
> > > > * libmicrohttpd - 0.4.4
> > > > * libgcrypt - 1.4.4
> > > > * libgpg-error - 1.7
> > > >
> > > > I am using a wrapper class in C++ to invoke
> libmicrohttpd. My code to
> > > > start up the daemon is:
> > > >
> > > > // std::string _httpsKey = contents of a
> RSA private key
> > > > // std::string _httpsCertificate =
> contents of a certificate
> > > > for _httpsKey
> > > > _daemon =
> MHD_start_daemon( MHD_USE_SELECT_INTERNALLY
> > > > // We don't need to implement our own
> select
> > > >
> > > > |
> MHD_USE_DEBUG
> > > >
> > > > // Output messages to the errorCallback
> > > >
> > > > |
> ( _httpsKey.empty() ? 0 :
> > > >
> > > > MHD_USE_SSL ) // Enable SSL/TLS if so requested
> > > > , port
> > > > ,
> &webClientAuthCallback, this
> > > > ,
> &webCallback, this
> > > > ,
> MHD_OPTION_THREAD_POOL_SIZE,
> > > > _options[ THREAD_POOL_SIZE ]
> > > > ,
> MHD_OPTION_CONNECTION_LIMIT,
> > > > _options[ CONNECTION_LIMIT ]
> > > > ,
> > > > MHD_OPTION_PER_IP_CONNECTION_LIMIT,
> _options[ PER_IP_CONNECTION_LIMIT
> > > > ]
> > > > ,
> MHD_OPTION_CONNECTION_TIMEOUT,
> > > > _options[ CONNECTION_TIMEOUT ]
> > > > ,
> MHD_OPTION_URI_LOG_CALLBACK,
> > > > uriLogCallback, this
> > > > ,
> MHD_OPTION_EXTERNAL_LOGGER,
> > > > webErrorCallback, this
> > > > ,
> MHD_OPTION_HTTPS_MEM_KEY,
> > > > _httpsKey.c_str() , MHD_OPTION_HTTPS_MEM_CERT,
> > > > _httpsCertificate.c_str()
> > > > ,
> MHD_OPTION_END );
> > > >
> > > > I am also using HTTP basic auth in
> webCallback(), using code very
> > > > similar to that in the tutorial which has been
> proven to work without
> > > > using TLS.
> > > >
> > > > The private key and certificate were both
> generated by the commands
> > > > listed in the libmicrohttpd tutorial:
> > > > openssl genrsa -out server.key 1024
> > > > openssl req -days 365 -out server.pem -new -x509
> -key server.key
> > > >
> > > > If I fetch a page with a URL like
> https://host:port/some/file.html I
> > > > get the following messages in
> webErrorCallback():
> > > >
> > > > Google Chrome 4.0.249.30:
> > > > Error: Handshake has failed (-28)
> > > > Error: Handshake has failed (-28)
> > > > Error: unrecognized TLS message type: 0,
> connection state: secure
> > > > connection init. l: 254, f:
> MHD_tls_connection_handle_read
> > > >
> > > > Mozilla Firefox 3.5.5:
> > > > Error: unrecognized TLS message type: 128,
> connection state: secure
> > > > connection init. l: 254, f:
> MHD_tls_connection_handle_read
> > > >
> > > > Microsoft Internet Explorer 6.0:
> > > > Error: unrecognized TLS message type: 128,
> connection state: secure
> > > > connection init. l: 254, f:
> MHD_tls_connection_handle_read
> > > >
> > > > Note that -28 is the value of GNUTLS_E_AGAIN.
> > > >
> > > > Can anyone offer a hand?
> > > >
> > > > Thanks for your time,
> > > >
> > > > Jesse Anderton
> > >
> > > --
> > > http://grothoff.org/christian/
> >
>
>
> --
> http://grothoff.org/christian/
>
>
>
>