-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Factor out the WiFiClient/Server objects #3
Comments
I need to think about that.
Not sure, what a clean approach here would be. |
From what I can tell, the following aspects should be considered:
There are examples in the core for using and setting up the secure client/server, including a certificate store. This issue is long term, and will likely require quite a bit of experimentation :p |
I'm playing around with some thoughts... curious to know your 2ct ;-) General:*Should the limitation for 1 connection at a time be removed? This is what stops Secure connections:
|
@earlephilhower is the right person to ask about the secure client/server, and whether the set up propagates/is shared when copying a server object. Because of the 16KB buffer, it's likely that 1 connection at a time is all that is possible, at least with secure comms and internal sram. |
FTP's inane setup with different dynamic control and data connections may be an issue when using WiFiClientSecure. WiFiServerSecure doesn't use much mem, but when you accept a connection it generates a new WiFiClientSecure object you use to talk to the other side, assuming the encryption handshake went well. That object you can copy around the same as a WiFiClient. Probably ~20kb worth of per-object data w/o MFLN. If MFLN is done (requires the client to request it, your ESP8266 server cannot due to the SSL protocol) that can go down to ~5k-ish. There is no concept of what you're trying to in any SSL:
SSL handshakes are required on any TLS connection. You can't copy things to short-circuit them. If you need 2 connections on different ports, you need 2 handshakes and 2 separate state objects. So w/o MFLN it's very unlikely you will be able to do 2 parallel connections. There is always a single 6K stack allocated whenever a WiFiServerSecure or WiFiClientSecure object exists, as @devyte said. |
@earlephilhower the question isn't whether the state can be copied over, but whether the setup can, i. e. fingerprint, CA, whatever. Or have a method so that one object can be set up based on another that is already set up. Is that possible? Does it make sense? |
No, there's no way to copy over the settings. You'll need to make the new object at the new data port and apply the same settings calls (cert, mfln, etc.). |
Apparently only the stream mode is used by this implementation which makes it difficult to have a control on the packet size, which in turn prevents to use MFLN. There is however a block mode which seems, when implemented, to limit the size of the transfered data blocks. It would suit MFLN and allow to handle two ssl connections in ram (6KB + 2*MFLNlimited). I cannot tell about usefulness of spending time in trying to implement FTPS. At least not before further understanding of the block mode. |
Details can be found in https://tools.ietf.org/html/rfc959. Reading about STRU(cture) {File, Record, Page} and MODE {Stream, Block, Compressed} it feels to me like of a tale from old times when the internet was made from IBM mainframes run from it's own power plant ;) the FTP protocol imho clearly suffers from it's ancient protocol design. It seems straight forward on first hand but a whole bunch of complexity arises from nowadays somewhat obscure transmission modes. Even vsftpd doesn't bother and just supports Stream Mode & File Structure - my guess for the sake of keeping it simple. With that said, from what I read at first glance, I don't really understand the difference between a Stream mode (in which the server could sends tcp packets as little in size as it wishes) and Block mode (in which the server breaks the stream into smaller chunks and sends them, again via tcp, I assume). Correct me, if I'm wrong: In my understanding, the size data that the server would write to a tcp connection, doesn't influence the size of the memory involved. If you write big chunks, the tcp stack just breaks it into more packets. Also, in my understanding of @earlephilhower, the amount of memory used for SSL over tcp is set by the SSL connenction handshake and again does not relate to the size of data, that is transferred over that SSL connection. And worse, the only way to make this memory small, is if the client requests it to be small. |
You are right about TCP. Peers can use whatever buffer size they wish, everything is buffered by the protocol or hold at its source until needed. That's why one should always check In SSL mode, we can say the same only when MLFN is enabled and negociated. |
One minorcorrection. With TLS one side sends a chunk of whatever size it wants, but if you don't receive and store that whole chunk you can't decode anything. It's like a block cipher with variable block sizes. So, w/MFLN if the other side sends a block larger than you can accept (i.e. the buffer size you set) then you can never decode it and the connection will die at that point. What size you |
The WiFiClient/Server should be factored out. This can be done by allowing a constructor that receives the object already prepared beforehand. An example is the http client. Alternatively, you can use an approach like the webserver.
The CAs or fingerprint or whatever can then be set up before passing in.
As in other such cases, the FTP client/server would not own the obkect passed in and so shouldn't destroy it.
The text was updated successfully, but these errors were encountered: