So, here's my dilemma, I'm working on a self-update mechanism in C++, and I can't figure out how to get OpenSSL to accept an int socket that's already been initialized in the previous version, and renegotiate the connection.
I've tried SSL_connect()
on the off chance that'd work again, SSL_renegotiate
and SSL_do_handshake()
, but I can't get anything working.
I imagine it's because OpenSSL doesn't know that the socket is already set up as TLS, but how do I tell it that?
In summary, I'm trying to re-establish a TLS connection after inheriting the raw 'int' socket descriptor from a previous version of the same program via an exec*() function.
Thanks.
An established SSL in OpenSSL socket contains a user-space SSL state. When doing an
exec
this state is lost since the previous process and its memory is replace with the new one. While it could in theory be possible to somehow serialize the full SSL state in one process and unserialize it in the new process I don't think there is an OpenSSL API which does this. And it can probably also not be simply done by saving and restoring some memory block but likely depends on the current memory layout of the process which is different in the new one.The usual way to handle an existing SSL state by a new process is not to
exec
a new process but insteadfork
the existing process andexec
the new one as a child and then transfer the data from the child process by using the original (parent) process which still has the established SSL state.Another way would be to explicitly shutdown the SSL session with
SSL_shutdown
before doing theexec
and creating a new SSL session on the same TCP connection withSSL_connect
in the new process. Of course, this needs kind of downgrade to plain TCP and upgrade to TLS again needs support on the other end of the TCP connection too.