Skip to content
This repository has been archived by the owner on Mar 2, 2024. It is now read-only.

How to use certify with Async SSL #58

Open
benstadin opened this issue Feb 22, 2020 · 3 comments
Open

How to use certify with Async SSL #58

benstadin opened this issue Feb 22, 2020 · 3 comments

Comments

@benstadin
Copy link

benstadin commented Feb 22, 2020
edited
Loading

I'm trying get certify working for a Async SSL Client (I have to use Async because I need to set a timeout). The stream is declared as:

beast::ssl_streambeast::tcp_stream stream_;

I don't find the matching function for setting host name and sni:

    boost::certify::set_server_hostname(beast::get_lowest_layer(stream_).socket(), host);
    boost::certify::sni_hostname(beast::get_lowest_layer(stream_), host);

Does certify work in async mode?

Edit: Sorry, the title should read Async SSL instead.
@benstadin benstadin changed the title How to use certify with Sync SSL How to use certify with Async SSL Feb 22, 2020
@benstadin
Copy link
Author

I got it working by replacing set_server_name with the detail implementation call (as a workaround for now):

    boost::system::error_code ec;
    boost::certify::detail::set_server_hostname(stream_.native_handle(), host, ec);
    if (ec)
        boost::throw_exception(boost::system::system_error{ec});

@djarek
Copy link
Owner

djarek commented Feb 22, 2020

Unfortunately, the ssl stream in Beast doesn't seem to have an API that exposes the underlying SSL socket. As a sidenote: I'm no longer working on this library, due to fundemental implemntation issues when working with OpenSSL (and especially when working with ASIO's wrapper on top OpenSSL).

The primary issue is that OpenSSL doesn't expose a way of doing asynchronous operations in the verification callback (something that, IIRC, BoringSSL does allow), which means that doing things like OCSP lookup (which involes doing a simplified HTTP reques) can't be done in a non-blocking way.

While this is not an issue for synchronous programs, it may be an issue for programs that do async operations. At this point I'd probably recommend doing what the mobile app folks have been doing all along - if their native code uses OpenSSL, bundle certs with the app, keep the app updated.
This does not give the full verification functionality (no OCSP), but it's better than no verification at all on Windows or MacOS/iOS.

What would be a proper solution? Hard to say. Probably replacing asio::ssl with something that uses the native TLS capabilities (because they do the proper verification on their own). But that's a massive project in itself even though it doesn't involve writing TLS impl itself, just wrapping platform-specific TLS API.s

@benstadin
Copy link
Author

Thanks @djarek that all makes sense. The Java folks also have their own Java keystore (could be accessed using JNI in theory), and tools like Hashicorp's Vault might fill that gap.

Thanks again for your thorough feedback. I'll reconsider my software design.

@jens-diewald jens-diewald mentioned this issue Apr 9, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benstadin @djarek