[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Problems with SSL/TLS
From: |
Christian Grothoff |
Subject: |
Re: [libmicrohttpd] Problems with SSL/TLS |
Date: |
Fri, 8 Jan 2010 10:58:13 +0100 |
User-agent: |
KMail/1.12.4 (Linux/2.6.31-1-amd64; KDE/4.3.4; x86_64; ; ) |
On Tuesday 05 January 2010 20:46:14 Jesse Anderton wrote:
> Christian,
>
> Thanks a lot for checking this out for me! I'm not sure what I'm doing
> differently, but now I know that the code should work. I was a little
> concerned since the documentation for MHD_USE_SSL at
> http://www.gnu.org/software/libmicrohttpd/microhttpd.html#SEC2 indicates
> that SSL is not yet supported. Most likely that comment just needs to be
> updated.
Right, in fact, I simply had to re-run texi2html and sync the webpage with
what was in SVN to fix this. Should be fixed now.
> Here's what happens when I attempt to duplicate your test:
>
> 1. I copied the server.* files you sent along with the latest
> tlsauthentication.c from svn HEAD into a folder. I added MHD_USE_DEBUG in
> order to get the output below (it fails either way).
>
> 2. I compiled the program like so (using g++ 3.3.3):
>
> gcc -o fs tlsauthentication.c -Iinclude -lmicrohttpd -lgcrypt -lgpg-error
>
> > -lsocket -lpthread -L~/dev/ext/lib/solaris_gcc3/static
>
> Note that I am linking statically, so I had to add a couple more libraries.
> I am also not using make install (because of company policies) so I have
> to provide an explicit path to these libraries.
>
> 3. I start the program and browse to https://testhost:8888/something.html.
> The browser appears to wait indefinitely to complete the SSL handshake.
>
> 4. I press Enter on the terminal running fs to stop it. The browser
> immediately gives up. fs outputs the following:
>
> Error: Handshake has failed (-28)
>
>
> I tried this with MHD_USE_THREAD_PER_CONNECTION and with
> MHD_USE_SELECT_INTERNALLY and got the same results in both modes.
>
> Perhaps I'm missing a library? I ran ldd on fs so you could compare it to
> yours and got:
>
> $ldd fs
>
> libsocket.so.1 => /usr/lib/libsocket.so.1
>
> libpthread.so.1 => /usr/lib/libpthread.so.1
>
> libc.so.1 => /usr/lib/libc.so.1
>
> libnsl.so.1 => /usr/lib/libnsl.so.1
>
> libdl.so.1 => /usr/lib/libdl.so.1
>
> libmp.so.2 => /usr/lib/libmp.so.2
>
> libthread.so.1 => /usr/lib/libthread.so.1
>
> /usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
>
>
> In case it's relevant, I'm compiling with g++ 3.3.3.
I don't think you are missing a library (you'd get the code dying with
"unresolved symbol" or something like that). Also, I'm not aware of any
issues specific to any version of gcc/g++ --- the code is rather
straightforward C code anyway.
My best guess is actually related to what I see in your last line: Sun-Fire-
V210: I have never tested this on Solaris (OS) or Sparc (CPU), and my guess
from that line is that you have both of those here. Furthermore, I doubt it is
a Solaris issue and more likely something like a single (buggy) 64-bit big-
endian conversion which might cause this kind of trouble for UltraSparc/PPC
archs only, and that's likely not been tested enough yet.
So I'd suggest this: first try the same code on a GNU/Linux Intel/AMD system
(and see if the Solaris browsers can access that site too!); then (maybe)
check with Solaris/x86. For debugging the issue once you have narrowed it
down like this a bit, you might get better reporting from CURL as a HTTPS
client (if you enable debugging).
Happy hacking!
Christian
> Kind regards,
>
> Jesse
>
> On Tue, Jan 5, 2010 at 10:37 AM, Christian Grothoff
>
> <address@hidden>wrote:
> > Dear Jesse,
> >
> > I've just tried this myself, and it worked as expected. I first used
> > openssl
> > to generate the KEY, PEM and CERT files:
> >
> > $ cd svn/libmicrohttpd/doc/examples/
> > $ openssl genrsa 1024 > server.key
> > $ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key >
> > server.cert
> > $ cat server.cert server.key > server.pem
> >
> > Then I compiled the example
> >
> > $ gcc -o fs tlsauthentication.c -I ~/include/ -I ../../src/include/ -I
> > ../.. -
> > I ../daemon/https/ -lmicrohttpd
> >
> > Started fs
> >
> > $ ./fs
> >
> > and then accessed https://localhost:8888/ using firefox (3.5.6). It
> > "warned"
> > me about the self-signed cert (also attached for your reference), I
> > confirmed
> > that I knew what I was doing, then was prompted for username & password
> > (entered those from the source code) and then got the "secret" page.
> >
> > So I cannot confirm your problem. This was on Ubuntu GNU/linux (karmic)
> > using
> > the example as given in SVN HEAD.
> >
> > I hope this helps...
> >
> > Best,
> >
> > Christian
>
--
http://grothoff.org/christian/