Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Pure Perl OpenSSL Library

Reply
Thread Tools

Pure Perl OpenSSL Library

 
 
Marc
Guest
Posts: n/a
 
      02-25-2005
Hi,

I'm developping a software that needs to act as a Certificate
Authority. I must use Perl for this.
I would like to avoid forking at each certificate request as there will
be several requests within seconds. The problem is that every SSL
modules I can find for Perl are using the openssl command line.

Can someone point me to/give me the name of a projet that has (even if
not complete) a pure Perl/C OpenSSL library?

I would be very surprised if no such project exist...but who knows?

Marc
 
Reply With Quote
 
 
 
 
Big and Blue
Guest
Posts: n/a
 
      02-26-2005
Marc wrote:
>
> I'm developping a software that needs to act as a Certificate
> Authority. I must use Perl for this.


An odd pre-requisite if it stops you achieving your actual goal.

> I would like to avoid forking at each certificate request as there will
> be several requests within seconds. The problem is that every SSL
> modules I can find for Perl are using the openssl command line.


My suspicion is that if you are worried about the cost of forking then
you're looking at the wrong thing. I assume you are intending that this
system be generating certificates? If so, then the resources for that (in
particular its random/prime number generating) will make any forking
resource demands pale into insignificance.

> Can someone point me to/give me the name of a projet that has (even if
> not complete) a pure Perl/C OpenSSL library?
>
> I would be very surprised if no such project exist...but who knows?


Why would you be surprised? Perhaps others see that it would be a lot
of work for almost no gain? The openssl command already exists. Perl has
adequate ways to run external commands.


--
Just because I've written it doesn't mean that
either you or I have to believe it.
 
Reply With Quote
 
 
 
 
Marc
Guest
Posts: n/a
 
      02-26-2005
Big and Blue <(E-Mail Removed)> writes:

> Marc wrote:
> >
>> I'm developping a software that needs to act as a Certificate
>> Authority. I must use Perl for this.

>
> An odd pre-requisite if it stops you achieving your actual goal.


This will be behind an Apache server. I first wrote the test system
using Python, but Perl is widely used here, so I must use it

>> I would like to avoid forking at each certificate request as there will
>> be several requests within seconds. The problem is that every SSL
>> modules I can find for Perl are using the openssl command line.

>
> My suspicion is that if you are worried about the cost of forking
> then you're looking at the wrong thing. I assume you are intending
> that this system be generating certificates? If so, then the
> resources for that (in particular its random/prime number generating)
> will make any forking resource demands pale into insignificance.


You are right. But if I just want to get some some field from the
certificates, forking is a bit heavy for this... But I will investigate
this. Thanks for the remark

>> Can someone point me to/give me the name of a projet that has (even if
>> not complete) a pure Perl/C OpenSSL library?
>> I would be very surprised if no such project exist...but who knows?
>>

>
> Why would you be surprised? Perhaps others see that it would be a
> lot of work for almost no gain? The openssl command already exists.
> Perl has adequate ways to run external commands.


Yes, but if you read the openssl manual, you will se that this is some
sort of 'demo' tool not intended to but used for a CA... It is not
locking the cert db, return status not very easy to use in script (must
read stderr to see if the certificate has been added for example)... I
know this is possible and projects are using this, but this is not as
clean as a pure perl solution... I thought maybe someone did such a
lib, as it is possible to find all sort of thing in Perl... why not?

Thanks,

Marc
 
Reply With Quote
 
Big and Blue
Guest
Posts: n/a
 
      02-26-2005
Marc wrote:
>
> This will be behind an Apache server. I first wrote the test system
> using Python, but Perl is widely used here, so I must use it


You missed my point. Perl is an option, not a requirement.

>> My suspicion is that if you are worried about the cost of forking
>>then you're looking at the wrong thing.

>.....
> You are right. But if I just want to get some some field from the
> certificates, forking is a bit heavy for this... But I will investigate
> this. Thanks for the remark


Forking isn't *that* heavy. However, modules such as IO::Socket::SSL
do certificate verification, so perhaps you could look through that to see
how it does it? Presumably to verify it it must look at the certificate
fields.

>
> Yes, but if you read the openssl manual, you will se that this is some
> sort of 'demo' tool not intended to but used for a CA...


You could make it so with a little work....

> It is not
> locking the cert db,


So, write a simple Perl module which does this before calling openssl....

> return status not very easy to use in script (must
> read stderr to see if the certificate has been added for example)


...and which then parses stderr and returns the status.

> I thought maybe someone did such a
> lib, as it is possible to find all sort of thing in Perl... why not?


Waiting for someone to do it? Are you volunteering?


--
Just because I've written it doesn't mean that
either you or I have to believe it.
 
Reply With Quote
 
Marc
Guest
Posts: n/a
 
      02-27-2005
Big and Blue <(E-Mail Removed)> writes:

> Marc wrote:
> >
>> This will be behind an Apache server. I first wrote the test system
>> using Python, but Perl is widely used here, so I must use it

>
> You missed my point. Perl is an option, not a requirement.


Yes and no. If I want to make some script with apache and use some
languages used in my "team", there's not much left

>>> My suspicion is that if you are worried about the cost of forking
>>>then you're looking at the wrong thing.

>> ..... You are right. But if I just want to get some some field from
>> the
>> certificates, forking is a bit heavy for this... But I will investigate
>> this. Thanks for the remark

>
> Forking isn't *that* heavy. However, modules such as
> IO::Socket::SSL do certificate verification, so perhaps you could look
> through that to see how it does it? Presumably to verify it it must
> look at the certificate fields.


My system will receive burst of thousand and more request within short
period (seconds/minutes), so I want to avoid forks as much as possible.

> So, write a simple Perl module which does this before calling openssl....
> ...and which then parses stderr and returns the status.


I'm already doing this. But for example, if openssl returned something
else than 0 when there is a problem, it would be easier than parse
undocumented output from stderr

> Waiting for someone to do it? Are you volunteering?


Not waiting for someone to do it, asking if someone knows about this
sort a project. I'm afraid I'm not skilled enougth in Perl and don't
have time for writing such a thing, so I'll use what's already existing.


Thanks,
Marc
 
Reply With Quote
 
Big and Blue
Guest
Posts: n/a
 
      02-28-2005
Marc wrote:
>>

> My system will receive burst of thousand and more request within short
> period (seconds/minutes), so I want to avoid forks as much as possible.


Requests for what? I presume you aren't going to be creating/issuing
thousands of certificates within minutes.

If you are trying to validate an "incoming" SSL cerrtificate in Apache
you should use mod_ssl. But what are you actually trying to do?

--
Just because I've written it doesn't mean that
either you or I have to believe it.
 
Reply With Quote
 
Marc
Guest
Posts: n/a
 
      02-28-2005
Big and Blue <(E-Mail Removed)> writes:

> Marc wrote:
>>>

>> My system will receive burst of thousand and more request within short
>> period (seconds/minutes), so I want to avoid forks as much as possible.

>
> Requests for what? I presume you aren't going to be
> creating/issuing thousands of certificates within minutes.


Yes, I will.

> If you are trying to validate an "incoming" SSL cerrtificate in
> Apache you should use mod_ssl. But what are you actually trying to do?


Already using that

I'm writing a system that will be able to identify node's clusters, so I
will have lots and lots certificate requests at startup, then only https
requests, handled by mod_ssl.

Marc
 
Reply With Quote
 
Big and Blue
Guest
Posts: n/a
 
      03-01-2005
Marc wrote:
>
>> Requests for what? I presume you aren't going to be
>>creating/issuing thousands of certificates within minutes.

>
> Yes, I will.


You will be *creating* thousands of certificates within minutes!? Why?

> I'm writing a system that will be able to identify node's clusters, so I
> will have lots and lots certificate requests at startup, then only https
> requests, handled by mod_ssl.


Sorry - you've lost me (or rather, you haven't found me yet...).

a) What is starting up?
b) What type of certificate requests are these?

Are these "node's clusters" sending certificates for validation?
(mod_ssl can do that).


--
Just because I've written it doesn't mean that
either you or I have to believe it.
 
Reply With Quote
 
Marc
Guest
Posts: n/a
 
      03-01-2005
Big and Blue <(E-Mail Removed)> writes:

> Marc wrote:
>>
>>> Requests for what? I presume you aren't going to be
>>>creating/issuing thousands of certificates within minutes.

>> Yes, I will.

>
> You will be *creating* thousands of certificates within minutes!? Why?


Because I have thousands nodes that needs a certificate

>> I'm writing a system that will be able to identify node's clusters, so I
>> will have lots and lots certificate requests at startup, then only https
>> requests, handled by mod_ssl.

>
> Sorry - you've lost me (or rather, you haven't found me yet...).
>
> a) What is starting up?


The nodes

> b) What type of certificate requests are these?


certificate request created with openssl (first generate a key, then you
can create a certificate request).

> Are these "node's clusters" sending certificates for validation?
> (mod_ssl can do that).


Yes they are, but the bottleneck is the step just before this one. The
node needs a certificate if it wants to send it, right? So how do I
provide theses thousand certificates?

As soon as the nodes have their certificate, this is easy (some
configuration in apache); this is already working.

I was just looking for the fastest way to run a script that can make
some checks (I won't issu certificates for every request) and from a
certificate request, issu a signed certificate. That's all.

I first tried python because I know this language. Everybody uses Perl
here, and they want to be able to read my soft after I'm gone, so I'm
moving to Perl.

If you have better idea, let me know.


Marc
 
Reply With Quote
 
Big and Blue
Guest
Posts: n/a
 
      03-02-2005
Marc wrote:
>
>> You will be *creating* thousands of certificates within minutes!? Why?

>
> Because I have thousands nodes that needs a certificate


But not new ones at each startup, surely?


> Yes they are, but the bottleneck is the step just before this one. The
> node needs a certificate if it wants to send it, right? So how do I
> provide theses thousand certificates?


Create them once, save them on each node and get each node to use its
saved one when it starts.

> I was just looking for the fastest way to run a script that can make
> some checks (I won't issu certificates for every request) and from a
> certificate request, issu a signed certificate. That's all.


So get the client to save it and resuse it for some time (you can set
your own expiry date...).

--
Just because I've written it doesn't mean that
either you or I have to believe it.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Standard Library SSL Module (was: Python OpenSSL library) geremy condra Python 0 06-14-2010 09:43 PM
Standard Library SSL Module (was: Python OpenSSL library) Michael Crute Python 0 06-14-2010 07:54 PM
Seeking pure Python AES/RSA library compatible with OpenSSL novosibirsk@gmail.com Python 2 01-22-2009 10:06 AM
Ruby and OpenSSL: no such file to load -- openssl (RuntimeError) Redd Vinylene Ruby 6 11-18-2008 08:51 AM
Pure functions still pure after definition Todd Aspeotis C++ 3 05-30-2005 03:53 AM



Advertisments