From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sam To: <9fans@cse.psu.edu> Cc: Subject: Re: [9fans] TLSServer? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Sat, 15 Nov 2003 11:01:30 -0500 Topicbox-Message-UUID: 8a6bce02-eacc-11e9-9e20-41e7f4b1d025 > If you want the Plan 9 interface (just pushtls and use the resulting fd > in normal I/O), the right thing to do seems to be to create a pipe and > then run openssl in a child encrypting between the pipe and your old fd. > Then you can use the pipe as your normal encrypted fd. There was a > library that did this (either with or without SSL) (by someone in > Australia, perhaps?) but I cannot find it online anymore. Presumably > it's not _too_ hard to write the appropriate program using OpenSSL > (maybe it's even an example). The pipe+exec code is trivial. Sorry for the late response - I just got back to looking at this today. There's only one problem with the pleasantly trivial solution above. The unices still have unidirectional pipes, so I can't read and write the returned fd. I'm looking at implementing serveopenssl(int, ...) that takes an already set up socket fd ready for accept and the tls cert necessities. I plan to return a socket descriptor for a unix domain server, and as I get completed tls connections I'll make a client connect to the udom server and marshal data back and forth. Sure seems like a lot of work just to get the security insulated from the application code. Suggestions welcomed. Sam