Hi,
A while back I mentioned I'd like to write a pop3 server, and someone hinted
to me to use the popa3d that is in the attic.
I've hacked up popa3d to use tls_server() but I'm at a dillema. Popa3d as
you know forks and privseps into a popa3d user to handle AUTHORIZATION tasks
while keeping the descriptor open to both the popa3d child and the root
process.
The whole thing looks like this in the DESIGN file (somewhat):
------>
startup as root
|
-----------------
|child |parent
v v
drop to user popa3d, still as root,
handle the AUTHORIZATION wait for and
state, write the results, - - > read the authentication
and exit information
|
-----------------
|child |parent
v v
getspnam(3), crypt(3), wait for and
check, write the result, - - > read the authentication
and exit (to clean up) result
|
v
drop to the authenticated user,
handle the TRANSACTION state,
possibly UPDATE the mailbox,
and exit
<------
Because of the nature of a fork, filedescriptors are duplicated. When I
converted these filedescriptors to (struct tls *) contexes I fell into a
problem with TLS. In the area around the TRANSACTION state, so after
authenticating, I get a TLS error:
Dec 14 22:34:15 beta popa3d[52542]: Session from ::1
Dec 14 22:34:24 beta popa3d[52542]: Authentication passed for testpop
Dec 14 22:34:24 beta popa3d[52542]: 0 messages (0 bytes) loaded
Dec 14 22:34:24 beta popa3d[52542]: handshake failed: error:140260FC:SSL
routines:ACCEPT_SR_CLNT_HELLO:unknown protocol
Dec 14 22:34:24 beta popa3d[52542]: handshake failed: error:140260FC:SSL
routines:ACCEPT_SR_CLNT_HELLO:unknown protocol
I attribute this to TLS having a counter or something to keep state and because
of fork() the two identical TLS contexes get desyncronized.
Question then is: Is there a way to do this despite? Is there a way to tell
TLS to forget the forked child and continue with the root parent?
Would the only design that works for this be having a forked TLS process that
multiplexes the whole session?
Thanks and regards,
-peter
