Add a tutorial on writing a simple blocking TLS client #21133
Conversation
This blocking client is intended to be used to explain how to implement a simple client in the documentation.
mattcaswell
added
branch: master
|
@vdukhovni - I'd appreciate your input on this (in particular the demo) |
Provide guidance on the steps needed to write a very simple blocking TLS client.
mattcaswell
force-pushed
the
guide-blocking
branch
from
c903317
to
b1085f2
Compare
| */ | ||
| ctx = SSL_CTX_new(TLS_client_method()); | ||
| if (ctx == NULL) { | ||
| printf("Failed to create the SSL_CTX\n"); |
There was a problem hiding this comment.
I would use a wrapper function that prints the error stack.
There was a problem hiding this comment.
I'm not sure it adds much? The error stack printing is already there and in the common "end" block. The only thing different about each location is printing the error message itself.
There was a problem hiding this comment.
Yes, HTTP?1.0 is supposed to close by default, but AFAIK sending Connection: close is still recommended, but I'm not sure how useful this is in practice.
| /* Create an SSL object to represent the TLS connection */ | ||
| ssl = SSL_new(ctx); | ||
| if (ssl == NULL) { | ||
| printf("Failed to create the SSL object\n"); |
There was a problem hiding this comment.
Call same wrapper to dump the error stack and then print the message. Here and below as appropriate.
| * Virtually all clients should do this unless you really know what you | ||
| * are doing. | ||
| */ | ||
| if (!SSL_set1_host(ssl, HOSTNAME)) { |
There was a problem hiding this comment.
Perhaps mention that in some cases it may be appropriate to disable wildcard matching mentioning the relevant manpage.
There was a problem hiding this comment.
I'd prefer not to in this example. I'm trying to keep it simple and the wildcard handling is probably not something most users need to be worrying about.
| } | ||
|
|
||
| /* Write an HTTP GET request to the peer */ | ||
| if (!SSL_write_ex(ssl, request, strlen(request), &written)) { |
There was a problem hiding this comment.
This is the blocking API, with no WANT_READ/WANT_WRITE. It may be also good to have examples that use a non-blocking BIO poll for I/O completion/ready.
There was a problem hiding this comment.
I plan to do provide a specific example and associated tutorial for non-blocking in a future PR.
demos/guide/tls-client-block.c
Outdated
| * non-printable or have NUL characters in the middle of it. | ||
| */ | ||
| buf[readbytes] = '\0'; | ||
| printf("%s", buf); |
There was a problem hiding this comment.
Could just use fwrite(3) to dump readbytes bytes of the response, and then putchar('\n').
There was a problem hiding this comment.
Also, what if the server does not close the connection as soon as the response is sent? Perhaps also include a "Connection: close\r\n" request header?
There was a problem hiding this comment.
I'm doing HTTP/1.0 here. IIUC, in HTTP/1.0 the default expectation is that the connection is closed automatically. The "Connection: close" header is an HTTP/1.1 header so shouldn't be needed. Or have I misunderstood something?
For tutorial type pages it doesn't make any sense to have a DESCRIPTION section.
We split the page into two: one covering basic TLS introductory material that applies to both clients and servers, and one with the specific material on writing a blocking TLS client.
Done |
|
All feedback addressed or otherwise responded to above. Please take another look. |
paulidale
removed
the
approval: otc review pending
|
@vdukhovni you should probably reappove after the changes. |
| /* Helper function to create a BIO connected to the server */ | ||
| static BIO *create_socket_bio(const char *hostname, const char *port) | ||
| { | ||
| int sock = -1; |
There was a problem hiding this comment.
On Windows the socket type is a HANDLE, not an int. Is this code supposed to be Windows-portable?
There was a problem hiding this comment.
Yes, that is an interesting anomaly. However BIO_socket() and friends return an int - so this code is correct. InternallyBIO_socket() implicitly casts the HANDLE to int. But its been that way for a very long time and is used (for example in s_client and s_server). So in practice I don't think this is actually a problem. Either way it isn't a problem for this demo code because it is using the API as it is designed.
| */ | ||
| ctx = SSL_CTX_new(TLS_client_method()); | ||
| if (ctx == NULL) { | ||
| printf("Failed to create the SSL_CTX\n"); |
There was a problem hiding this comment.
Yes, HTTP?1.0 is supposed to close by default, but AFAIK sending Connection: close is still recommended, but I'm not sure how useful this is in practice.
Ok. I added the "Connection: close" header. It may be redundant, but at least it looks harmless. |
|
I've pushed a fixup to add the "Connection: close" header. I also spotted a minor bug in my socket creation code (missing "break" in the for loop) which I also fixed. So - please could I have one more round of reconfirmations? @vdukhovni, @paulidale. |
|
@mattcaswell Needs rebase over check-ansi fix |
It is sufficient to close&reopen so the test is re-run. |
paulidale
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Merged to master. |
This blocking client is intended to be used to explain how to implement a simple client in the documentation. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21133)
Provide guidance on the steps needed to write a very simple blocking TLS client. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21133)
For tutorial type pages it doesn't make any sense to have a DESCRIPTION section. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21133)
We split the page into two: one covering basic TLS introductory material that applies to both clients and servers, and one with the specific material on writing a blocking TLS client. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21133)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21133)
Provide guidance on the steps needed to write a very simple blocking TLS
client.