Skip to content

Instantly share code, notes, and snippets.

@indutny

indutny/key-ex.md Secret

Last active August 29, 2015 14:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save indutny/9eea33da117a788a22ee to your computer and use it in GitHub Desktop.
Save indutny/9eea33da117a788a22ee to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL async key exchange
Raw
key-ex.md

OpenSSL async key exchange

Rationale

  • Moving the private keys out of the public-facing servers.
  • Preventing private key extraction in case of memory leaks (like Heartbleed)

Design

The following patch aims to provide a way for a server to asynchronously request private key signing/decryption from other party (like different thread, or a remote server).

This is done by splitting the:

  • ssl3_get_client_key_exchange()
  • ssl3_send_server_key_exchange()

into two functions, and adding intermediate states respectively. The output data (from remote server) should be supplied using SSL_supply_key_ex_data(), and at this point handshake process is able to continue.

Until SSL_supply_key_ex_data() is called, all calls like:

  • SSL_read()
  • SSL_write()
  • SSL_accept()

Will return either of:

  • SSL_ERROR_WANT_RSA_DECRYPT (for non-DH ciphers)
  • SSL_ERROR_WANT_SIGN (for DH ciphers)

More details in the actual documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment