@rojer that PR looks reasonable - does it make sense to integrate?

this is a near-copy of mg_set_ssl in a server-only mode. can you explain the problem first so we can see why mg_set_ssl is not suitable here?

The functionality of mg_set_ssl_server is indeed similar to mg_set_ssl, but with mg_set_ssl it is impossible to change plain TCP connection into SSL one, while the functionality is required for the SSL proxy.

actually, that is exactly what mg_set_ssl - add SSL context to plain TCP
connection and i personally have been using it to create outgoing SSL
connections.
can you please give a concrete example where it doesn't work and your
variant does?

On Thu, Dec 24, 2015 at 1:13 PM Joseph Hindin [email protected]
wrote:

The functionality of mg_set_ssl_server is indeed similar to mg_set_ssl,
but with mg_set_ssl it is impossible to change plain TCP connection into
SSL one, while the functionality is required for the SSL proxy.

—
Reply to this email directly or view it on GitHub
#606 (comment).

Deomid "rojer" Ryabkov,
Software Engineer
Cesanta Software Ltd.

The sample proxy with ( limited ) support for SSL bumping is available
here: https://github.com/jhindin/mongoose-c--proxy
and mg_set_ssl is not sufficient: after mg_set_ssl is invoked on the live
connection, SSL handshake is not processed properly.

On Thu, Dec 24, 2015 at 7:18 PM, rojer [email protected] wrote:

actually, that is exactly what mg_set_ssl - add SSL context to plain TCP
connection and i personally have been using it to create outgoing SSL
connections.
can you please give a concrete example where it doesn't work and your
variant does?

On Thu, Dec 24, 2015 at 1:13 PM Joseph Hindin [email protected]
wrote:

The functionality of mg_set_ssl_server is indeed similar to mg_set_ssl,
but with mg_set_ssl it is impossible to change plain TCP connection into
SSL one, while the functionality is required for the SSL proxy.

—
Reply to this email directly or view it on GitHub
#606 (comment).

Deomid "rojer" Ryabkov,
Software Engineer
Cesanta Software Ltd.

—
Reply to this email directly or view it on GitHub
#606 (comment).

if you want incoming connections to use SSL, you should call mg_set_ssl on
the listener connection instead of switching after the connection has been
accepted. do you do that?

On Thu, Dec 24, 2015 at 8:26 PM Joseph Hindin [email protected]
wrote:

The sample proxy with ( limited ) support for SSL bumping is available
here: https://github.com/jhindin/mongoose-c--proxy
and mg_set_ssl is not sufficient: after mg_set_ssl is invoked on the live
connection, SSL handshake is not processed properly.

On Thu, Dec 24, 2015 at 7:18 PM, rojer [email protected] wrote:

actually, that is exactly what mg_set_ssl - add SSL context to plain TCP
connection and i personally have been using it to create outgoing SSL
connections.
can you please give a concrete example where it doesn't work and your
variant does?

On Thu, Dec 24, 2015 at 1:13 PM Joseph Hindin [email protected]
wrote:

The functionality of mg_set_ssl_server is indeed similar to mg_set_ssl,
but with mg_set_ssl it is impossible to change plain TCP connection
into
SSL one, while the functionality is required for the SSL proxy.

—
Reply to this email directly or view it on GitHub
#606 (comment).

Deomid "rojer" Ryabkov,
Software Engineer
Cesanta Software Ltd.

—
Reply to this email directly or view it on GitHub
#606 (comment).

—
Reply to this email directly or view it on GitHub
#606 (comment).

Deomid "rojer" Ryabkov,
Software Engineer
Cesanta Software Ltd.

No, I don't want to start connection in SSL mode - the SSL bumping proxy starts plain connection and then change it to SSL after 'connect' method arrives.

i thought proxy's job in handling CONNECT is supposed to be to just shuttle raw bytes back and forth, and it's up to the client to perform handshake.
or do you want to terminate client's SSL and act as a man in the middle?

the only real difference in the new method is the setting of the new MG_F_SSL_SERVER_TRANSITION flag. that's a lot of copy-paste, i don't like it. calling mg_set_ssl and later setting this flag should work, no? what am i missing?

or do you want to terminate client's SSL and act as a man in the middle?

Yes, exactly - that is what SSL bumping does.

calling mg_set_ssl and later setting this flag should work, no?

No, it doesn't when SSL handshake has to be performed on already live connection - with mg_set_ssl called on already live connection, ssl_begin never reports success.

that's a lot of copy-paste, i don't like it.

I see your point; let me try to find the way to unify the functions.

yeah, i get that, but other than setting the flags i don't see any real
differences.
maybe unified function will underscore them, but for now i this this should
work just as well:

mg_set_ssl(nc, ...)
nc->flags |= MG_F_SSL_SERVER_TRANSITION;

why wouldn't it?

On Thu, Dec 24, 2015 at 9:26 PM Joseph Hindin [email protected]
wrote:

or do you want to terminate client's SSL and act as a man in the middle?

Yes, exactly - that is what SSL bumping does.

calling mg_set_ssl and later setting this flag should work, no?

No, it doesn't when SSL handshake has to be performed on already live
connection - with mg_set_ssl called on already live connection, ssl_begin
never reports success.

that's a lot of copy-paste, i don't like it.

I see your point; let me try to find the way to unify the functions.

—
Reply to this email directly or view it on GitHub
#606 (comment).

Deomid "rojer" Ryabkov,
Software Engineer
Cesanta Software Ltd.

I am closing this pull request, as it is superseded by request #611