From e236bb9495b554a6b30bdb01e57340b24c62d140 Mon Sep 17 00:00:00 2001 From: Fulton Browne Date: Sun, 30 May 2021 01:48:57 +0000 Subject: new --- posts/2021-05-30+9front+tls+Part+1 | 73 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 posts/2021-05-30+9front+tls+Part+1 diff --git a/posts/2021-05-30+9front+tls+Part+1 b/posts/2021-05-30+9front+tls+Part+1 new file mode 100644 index 0000000..2246c78 --- /dev/null +++ b/posts/2021-05-30+9front+tls+Part+1 @@ -0,0 +1,73 @@ +# A guide to the Plan9/9front TLS system - Part 1. Servers + +Editors note: (ok, editor an author are the same here, bu you get the idea) there is a lot of refrences to Plan9/9front specific programs here. If you don't run 9 check out the online manual page repo + +=> http://man.cat-v.org/9front/ Man pages + +Much of the work I plan on doing this summer (see my last post) either uses or modifies the 9front tls system. I'm writing this to help myself get a good understanding on how the 9front tls system works and hopefully, you do too. + +The tls system comes in 3 parts: +tls(3) - the kernel tls filesystem (fs) (Plan9's motto: "Everything is a file") also known as devtls + +pushtls(2) the C interface to the tls fs + +tlssrv(8) the userspace tls tools + +We're going to review these tools in reverse order to get an understanding on how tls works in Plan9. + +Ok, imagine you're running a web server with Cinap's tcp80(8) and listen(8) (similar to inetd(8)). In /rc/bin/service/tcp80 you have this: + +#!/bin/rc +# my git server stuff would +# go here +rfork n +exec /bin/tcp80 + +The UNIX minded reader already understand's how this works: stuff runs then we use exec to take over the standard input/output of the called script, which would be the http stream coming from listen(8). +Ok, say we want https because we're not stupid and want to not be tracked by are isp's and vps providers. well, make a cert (see rsa(8)), create /rc/bin/service/tcp443 with this content: + +#!/bin/rc +# my git server stuff would +# go here +rfork n +exec /bin/tlssrv -c $certfile /bin/tcp80 + +Boom. you have https. Because of the plan9 philosophy you can do this with smtpd(8), ftpd(8), 9p (exportfs(8)), gopher (tcp70(8)), or even fingerd(8). + +=> http://fulton.software/docs/meme2.jpg We all get tls! +=> https://fulton.software/docs/meme2.jpg We all get tls!, but your browser doesn't like my self signed cert + +This model is great for light tasks Like my blog and low-traffic email server, but not great for a large website or anything that needs that needs to "scale". + +Ok, now its time for some C. + +=> https://xkcd.com/371 Segfault time + +I'm not going to take the time to write out a full web server right now, but I'll give you the short version. To write the server you use listen(2). + +So you're going to announce that you want a port and ip + +acfd = announce("tcp!*!9999", adir); + +check that nothing broke, start an infinite loop, in that loop listen: + +lcfd = listen(adir, ldir); + +this blocks the thread until we get something, then you're going to want to fork() and accept the connection with: + +dfd = accept(lcfd, ldir); + +dfd is a file descriptor with the connection stream read() to get the input write() to create an output. Ok, now create a tls connection, load the cert and get a tls fd. + +onn = (TLSconn*)mallocz(sizeof *conn, 1); +conn->cert = readcert("cert.pem", &conn->certlen); +fd = tlsServer(dfd, conn); + +Now all operation on fd (read and write) are tunneled through tls. + +[much of the code for that example was taken from the EXAMPLES section of pushtls(2) and listen(2)] + +OK, that's all for now, in my next post we'll be covering tls clients, see you then :) + +-- +Fulton -- cgit 1.4.1-2-gfad0