OpenSSL using password-protected key file

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL using password-protected key file

Hans-Martin Mosner-3
Hello,
when using client certificates with OpenSSL one would want to store them in password-protected files. However, the openssl library function SSL_CTX_set_default_passwd_cb() that is used to set a callback function for getting at a password is not available in SciSslOpenSSLLibraryDispatcher. I tried to create an interface function for it, but callbacks from C are a bit tricky, and my experiments always result in image blow-ups.

Does anyone have a working implementation of this?

Cheers,
Hans-Martin

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL using password-protected key file

Seth Berman
Hello Hans-Martin,

Callbacks were not historically done for OpenSSL (I think) because the calling convention for the entry-point back into the vm was not available (specifically for windows)....and it would just result in stack corruption.
9.0 vms do have support for this so, in theory, this could be done.  But I haven't worked on implementing the callback based api's from OpenSSL yet.
I'm guessing in 8.6.3 you could make it work on unix...but not on windows.  Unless you you recompiled OpenSSL using stdcall calling conventions.  Seems messy.

-- Seth

On Monday, February 26, 2018 at 10:45:30 AM UTC-5, Hans-Martin Mosner wrote:
Hello,
when using client certificates with OpenSSL one would want to store them in password-protected files. However, the openssl library function SSL_CTX_set_default_passwd_cb() that is used to set a callback function for getting at a password is not available in SciSslOpenSSLLibraryDispatcher. I tried to create an interface function for it, but callbacks from C are a bit tricky, and my experiments always result in image blow-ups.

Does anyone have a working implementation of this? (VAST 8.6.3)

Cheers,
Hans-Martin

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL using password-protected key file

Hans-Martin Mosner-3
Hi Seth,
thank you very much for the information, good to know that with 9.0 this might be an option (I'm not afraid to change the OpenSSL interface to include a callback mechanism myself, but of course the VM needs to support the calling convention).
For now, we can work without a client certificate. Being able to connect to SSL-protected services at all (with very little coding effort) is a big advantage already.

Cheers,
Hans-Martin

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL using password-protected key file

Seth Berman
Hello Hans-Martin,

Excellent.  I have made a note to post back here when I try out some of the callback apis for 9.0.

Kind Regards,

-- Seth

On Thursday, March 8, 2018 at 6:30:37 AM UTC-5, Hans-Martin Mosner wrote:
Hi Seth,
thank you very much for the information, good to know that with 9.0 this might be an option (I'm not afraid to change the OpenSSL interface to include a callback mechanism myself, but of course the VM needs to support the calling convention).
For now, we can work without a client certificate. Being able to connect to SSL-protected services at all (with very little coding effort) is a big advantage already.

Cheers,
Hans-Martin

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.