Share SSL socket with child process

Question

I'm working at a server that needs to support wss://. The server needs to process the websocket header, to identify the request, and then may decide to pass the SSL context to a worker process. For now, the server uses OpenSSL for SSL comunications, but from my understanding sharing a secure socket between processes is not possible with OpenSSL (tried with SSL_SESSION in parent process and d2i_SSL_SESSION/SSL_CTX_add_session in child process) - reference: http://openssl.6102.n7.nabble.com/How-to-share-SSL-sessions-between-parent-and-child-process-when-doing-fork-exec-td11077.html.

I'm looking to other SSL libraries that may allow this, currently looking at NSS.

Is this possible with any mature open source SSL library?

Answer 1

After a few months of trying to find a way to achieve this with libssl, I decided to make my own TLS implementation. I found no way of implementing this functionality without understanding and modifying libssl (or libressl). I still think is possible, I just didn't find a way. I've implemented a TLS library from scratch and put it on github. Now I have the two needed functions tls_export_context and tls_import_context.

Answer 2

Is this possible with any mature open source SSL library?

I don't think it is possible with any SSL library which is implemented in user-space because then you would continuously need to share the state of a single SSL connection among multiple processes. Contrary to this the state of the underlying TCP connection is managed inside the kernel and there is only a single state even if the same connection is open by parent and child process.

And I don't know of any SSL library which is not implemented in user-space.