关于 IOCP 整合 SSL 的一个帖子

本文档详细介绍了如何将OpenSSL库与Winsock的I/O完成端口(IOCP)机制结合使用,包括利用BIO机制进行读写操作的具体步骤,并提供了处理SSL/TLS握手过程及重叠I/O的建议。

原文:http://marc.info/?l=openssl-users&m=99909952822335&w=2

 

感觉这方面的资料非常少,这是能找到的比较有用的资源之一了.

 

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    RE: OpenSSL and Winsock IO Completion Ports
From:       "Dale Peakall" <dale.peakall () bit-arts ! com>
Date:       2001-08-29 15:36:59
[Download message RAW]

> I am a bit new to OpenSSL, and I am  a C++ Programmer.
> I'm trying to develop a server that will use the OpenSSL library, under
> the mechanism of Winsock's I/O Com[pletion Ports(IOCP).
> Would someone please tell me how is it possible?

The normal solution is to make use of the SSL libraries BIO mechanism.
A BIO represents an I/O stream and all data read/written by the SSL library
uses a BIO.  When you call SSL_set_fd(), the SSL library internally
creates a pair of BIO's that know how to read and write from a socket.

You can make the SSL library read/write from a different type of BIO by
using the SSL_set_bio() function.

The type of BIO you want to use is created by calling BIO_new_bio_pair().

BIO_new_bio_pair() returns a pair of BIO's that are linked.  One of the
BIO's (generally called the 'internal' BIO) is used for reading/writing
unencrypted data, the other (generally called the 'network' BIO) is used
for reading/writing encrypted data.

The BIO's are linked so that data written to the internal BIO appears
encrypted on the network BIO and data written to the network BIO appears
unencrypted on the internal BIO.

A good place to look for example code is Lutz Jaenicke's Postfix/TLS
toolkit.

http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/

> I mean, the OpenSSL's read() and write() methods are only for plain send
and recieve. Moreover, > to use the IOCP mechanism I need to use Overlapped
IO, so how can I do this combining OpenSSL?
> If there's an example I would like to have it.

There's a lot of work involved in this, you basically need to have a pool of
threads that wait on GetQueuedCompletionStatus().  When data is received
they need to write it onto the network BIO.

If the data is part of the SSL/TLS handshake (you can tell by calling
SSL_in_init()) you need to call SSL_accept() or SSL_connect() depending
on whether you're a client or a server.

Otherwise, you need to call your application level handlers that try to read
the data from the internal BIO and do whatever is appropriate.

Having done this, you need to determine whether there's data to be written
(you can tell be calling BIO_ctrl_pending() on the network BIO) and post an
OVERLAPPED write request.

Don't forget to post another OVERLAPPED read request and off you go.

In addition, if you're acting as a server you'll need to handle accepting
new
connections (with WSAAsyncAccept()) etc.

It all gets pretty complex, pretty quick, but it is manageable.  It took me
about three months development to write a basic server that does everything
without leaking, crashing or running into a loop (that's without application
code - apart from the message dispatcher).

> Another thing: I would like to know how to properly build and configure a
> certificate into the SSL Program.

You can create the appropriate C structures from a certificate using the
openssl x509 -C -noout -in <file> command (or something like that - the -C
flag is the important one).

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread] 


Configure | About | News | Donate | Add a list | Sponsors: 10EastKoreLogicChakpak.com

 

 

2011.06.14

其实,在他们的组里,还是有很多的相关资料的。不过,好像问个问题能得到回复总是比较难!

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值