Re: [gnet-dev] [PATCH] SSL

[Szalai Ferenc <szferi angel elte hu>]

Hi,

> Both the SSL context and session are stored in the Option struct, so
> maybe caching is still possible.  What exactly is OpenSSL caching
> anyway?
Ok. The ssl session saching mechanizm is used for reduce the session creation cost 
in OpenSSL. With this an allocated set of sessions can reused. See
Apache-SSL :)

> The point adding SSL support vs. adding OpenSSL support.  Using GNet SSL
> shouldn't require understanding OpenSSL, only SSL.
Thats right! But there are some special "feature" on OpenSSL like CRL
handling which makes hard the transparent implementation.

> If you get a non secure context, the function should fail because the
> whole point was to get a secure context.   Or, this should be
> configurable (with not-secure=failure by default).
I have never try it but I think It will be a clear behavior if you must
specify at least CA certificate verification locations other case the
context initaializatin get failure.
 
> Yes, so I'm wondering if tcp->iochannel should be the GSSLIOChannel or
> not.  
I think the anware is no. Because the the glib's io channel handling
mechanizm only work well if the tcp->iochannel is GIOChannel. We should
solve our problems in other way. 

> I could add a set_io_channel to GTcpSocket.  Or change the
> io_channel constructor so the GTcpSocket is passed, like this:
> 
> 	gnet_ssl_io_channel_new_connect(GTcpSocket* tcp_socket, options)
I think the last one is better.

> Will OpenSSL only work on TCP socket descriptors?  If so, this would be
> better API.
There isn't any problem with other socket type like UNIX or UDP. I think
if we finish the design of TCP socket any other will easy to implement.

Do you have any idea how we can pass the SSLoptions to asycn callbacks
if we don't want to use default options?

Technical question: Do you want make changes on my patch discussed
above? Or Need I do that?

Best regards,
Ferenc