I am using a openssl library to implement tls server.
How to configure the Heartbeat request timeout and retry count using openssl API to control the keepalive message flow?
I'm assuming you really do mean TLS as you said and not DTLS. Using heartbeats in TLS is quite unusual, although OpenSSL does support it in version 1.0.2. That support is removed from OpenSSL 1.1.0 so, for that reason, I would advise against using it in a new application. Use TCP keep alives instead.
The Heartbeat API is really quite simple. You can do three things:
1) Send a heartbeat using SSL_heartbeat()
2) Find out if a previously sent heartbeat is still pending a response using SSL_get_tlsext_heartbeat_pending()
and
3) Set the Heartbeat mode to disallow the peer from sending heartbeat requests using SSL_set_tlsext_heartbeat_no_requests()
Anything else is up to the application. Retries should not be necessary in TLS because it is designed to run over a reliable transport layer. If the connection is alive, it will get there. If it isn't, it won't. The TCP layer will handle retransmission of lost packets. Timeouts should also really be done at the TCP layer. If the TCP connection times out the SSL connection will fail.
Related
I'm currently working on an embedded TCP server using LWIP stack. I would like to use the keepalive functions in the server to let him detect when a client unexpectedly lost the connection. Do you know if keepalive can be used from the server or does-it only concern client side ?
thanks by advance
Using LwIP's BSD-like sockets API and the setsockopt() call you can keep it alive.
I am implementing a Web proxy (in C), with the end goal of implementing some simple caching and adblocking. Currently, the proxy supports normal HTTP sites, and also supports HTTPS sites by implementing tunneling with HTTP CONNECT. The proxy works great running from localhost and configured with my browser.
Despite all of this, I'll never be able to implement my desired features as long as the proxy can not decrypt HTTPS traffic. The essence of my question is: what general steps do I need to take to be able to decrypt this traffic and implement what I would like? I've been researching this, and there seems to be a good amount of information on existing proxies that are capable of this, such as Squid.
Currently, my server uses select() and keeps all client ids in an fd_set. When a CONNECT request is made, it makes a TCP connection to the specified host, and places the file descriptor of both the client and the host into the fd_set. It also places the tuple of fd's into a list, and the list is scanned whenever more data is ready from select() to see if data is coming from an existing tunnel. The data is then read and forwarded blindly. I am struggling to see how to intercept this data at all, due to the nature of the CONNECT verb requiring opening a simple TCP socket to the desired host, and then "staying out of it" while the client and host set up their own SSL sockets. I am simply asking for the right direction for how I can go about using the proxy as a MITM attacker in order to read and manipulate the data coming in.
As a brief aside, this project is solely for my own use, so no security or advanced functionality is needed. I just need it to work for one browser, and I am happy to get any warnings from the browser if certificate-spoofing is the best approach.
proxy can not decrypt HTTPS traffic
You are trying to mount a man-in-the-middle attack. SSL is designed to prevent that. But - there is a weak point - a list of trusted certificate authorities.
I am simply asking for the right direction for how I can go about using the proxy as a MITM attacker in order to read and manipulate the data coming in.
You can get inspiration from Fiddler. The Fiddler has its own CA certificate (certification authority) and once you add this CA certificate as trusted, then Fiddler generates server certificates for each connection you use on the fly.
It comes with serious security consideration, your browser will trust any site. I've even seen using the Fiddler core inside a malware, so be careful
I was looking to create a http2 streaming client in C which is able to connect to server, create stream and keep listening for messages from server on that stream without cancelling the stream unless explicitly cancelled or network issue.
I was trying to implement it via libcurl but seems there is no such support in libcurl, at best what I can do is just make a request with curl and not have a timeout. Then curl will just sit there waiting for the transfer to start or complete, until the server does that. And when one transfer is done, the client can just issue another request and go back to waiting...
But I just want to maintain the stream rather than issuing another request to server after receiving message.
I don't want to use GRPC which provides similar functionality but along with it comes lots of complexity of libs and platform dependencies to be resolved.
Is there any other C based library or any http2 stream reference which I should have a look at?
I have an application that uses Camel Netty4 component as a consumer endpoint which is configured as a TCP client (clientMode set to true) with the reconnect option enabled. The reconnect feature works well, the TCP client automatically reconnects to the remote server after a connection outage. Unfortunately it seems that this reconnect behavior runs indefinitely until the connection is established. Is there some way to set a limit to this reconnect feature, i.e. put a limit on how many reconnect attempts can be made before throwing a connection error?
Another question but this one is for the Netty4 component implemented as a producer that sends a payload to a remote server. Is there a way to configure the endpoint to enable the reconnect feature which would allow the TCP client to try establish a connection for a number of attempts before throwing a connection error?
In Camel 2.17-SNAPSHOT, there is no way to limit the amount of reconnection attempts. The reconnection is handled by ClientModeTCPNettyServerBootstrapFactory#scheduleReconnect. See here.
Currently it doesn't track the number of attempts, but it would be pretty simple to implement this functionality by adding a counter inside the anonymous Runnable.
Could you please open a ticket in the Camel JIRA?
Thanks!
I dont think limit for retry feature is avaialble at present for consumer, but you can specify the interval in which these retries can happen , the timeunit is in milliseconds.
I am looking for an echo server example using libev or libevent that accepts websocket connections: a websocket client connects, sends a message and receives it back. SSL websockets should also be supported. Is there such thing available? If not, what's the most minimal websocket C library that can be plugged into a libev or libevent echo examples?