I spent quite a bit of time conducting my research on how to solve this problem, but have not yet found a working solution.
Problem: I use the OpenSSL library and Linux. I have a P1 server process accepting an SSL connection from an SSL client. P1 does tcp_accept () and then SSL_accept () and exchanges some protocol data with the client with SSL_read / SSL_write (). All is well up to this point. Now, by design P1, it is necessary to branch out the child process C1 in order to serve the client from now on. C1 uses execve call to reimage and spawns another binary. C1 still needs to talk to the SSL client over the same SSL connection that was used in P1. The problem is that C1 is a completely different process, now how can it reuse an existing SSL connection for this client? I can transfer the base TCP socket descriptor from P1 to C1, because it is supported in the kernel, but I can not transfer the SSL context, because it is supported in the Openssl library.
I saw this run in stackoverflow, but unfortunately no solution was mentioned. OpenSSL: accept a TLS connection and then move on to another process
Possible solution: I am not sure that someone has already solved this problem, but I tried to follow.
I thought I could just create a new SSL context and perform a SSL revision in a new child process. So in C1, I created a new SSL context on the same main tcp socket fd and tried to perform a SSL renegotiation. Here is what I did (omitting the SSL_ctx initialization part)
ssl = SSL_new (ctx) // ctx is initialized in the same way as on the P1 server
SSL_set_fd (ssl, fd); // fd is the base tcp socket fd transferred from P1 to C1
SSL_set_accept_state (SSL);
SSL_set_verify (ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_renegotiate (SSL);
SSL_do_handshake (SSL);
SSL-> state = SSL_ST_ACCEPT;
SSL_do_handshake (SSL);
But the reevaluation failed and returns me an internal Openssl error from the first call to SSL_do_handshake (). I'm not even sure if this can really be done. Another solution that I can think of is as follows.
- Somehow transfer the entire SSL context for this client from P1 to C1. How effective can this be done? I can think of shared memory for this, but I'm not quite sure that it supports all the internal state of OpenSSL, which needs to be copied to shared memory. This seems to be the most logical solution, but I'm not very good at OpenSSL code to do this.
Has anyone encountered a similar problem and solved it? I would really appreciate any help in this regard.
thanks a lot
ssen source share