… | |
… | |
14 | |
14 | |
15 | AnyEvent::Handle - non-blocking I/O on file handles via AnyEvent |
15 | AnyEvent::Handle - non-blocking I/O on file handles via AnyEvent |
16 | |
16 | |
17 | =cut |
17 | =cut |
18 | |
18 | |
19 | our $VERSION = 4.452; |
19 | our $VERSION = 4.8; |
20 | |
20 | |
21 | =head1 SYNOPSIS |
21 | =head1 SYNOPSIS |
22 | |
22 | |
23 | use AnyEvent; |
23 | use AnyEvent; |
24 | use AnyEvent::Handle; |
24 | use AnyEvent::Handle; |
… | |
… | |
249 | |
249 | |
250 | A string used to identify the remote site - usually the DNS hostname |
250 | A string used to identify the remote site - usually the DNS hostname |
251 | (I<not> IDN!) used to create the connection, rarely the IP address. |
251 | (I<not> IDN!) used to create the connection, rarely the IP address. |
252 | |
252 | |
253 | Apart from being useful in error messages, this string is also used in TLS |
253 | Apart from being useful in error messages, this string is also used in TLS |
254 | peername verification (see C<verify_peername> in L<AnyEvent::TLS>). |
254 | peername verification (see C<verify_peername> in L<AnyEvent::TLS>). This |
|
|
255 | verification will be skipped when C<peername> is not specified or |
|
|
256 | C<undef>. |
255 | |
257 | |
256 | =item tls => "accept" | "connect" | Net::SSLeay::SSL object |
258 | =item tls => "accept" | "connect" | Net::SSLeay::SSL object |
257 | |
259 | |
258 | When this parameter is given, it enables TLS (SSL) mode, that means |
260 | When this parameter is given, it enables TLS (SSL) mode, that means |
259 | AnyEvent will start a TLS handshake as soon as the conenction has been |
261 | AnyEvent will start a TLS handshake as soon as the conenction has been |
… | |
… | |
296 | |
298 | |
297 | Instead of an object, you can also specify a hash reference with C<< key |
299 | Instead of an object, you can also specify a hash reference with C<< key |
298 | => value >> pairs. Those will be passed to L<AnyEvent::TLS> to create a |
300 | => value >> pairs. Those will be passed to L<AnyEvent::TLS> to create a |
299 | new TLS context object. |
301 | new TLS context object. |
300 | |
302 | |
301 | =item on_starttls => $cb->($handle, $success) |
303 | =item on_starttls => $cb->($handle, $success[, $error_message]) |
302 | |
304 | |
303 | This callback will be invoked when the TLS/SSL handshake has finished. If |
305 | This callback will be invoked when the TLS/SSL handshake has finished. If |
304 | C<$success> is true, then the TLS handshake succeeded, otherwise it failed |
306 | C<$success> is true, then the TLS handshake succeeded, otherwise it failed |
305 | (C<on_stoptls> will not be called in this case). |
307 | (C<on_stoptls> will not be called in this case). |
306 | |
308 | |
307 | The session in C<< $handle->{tls} >> can still be examined in this |
309 | The session in C<< $handle->{tls} >> can still be examined in this |
308 | callback, even when the handshake was not successful. |
310 | callback, even when the handshake was not successful. |
|
|
311 | |
|
|
312 | TLS handshake failures will not cause C<on_error> to be invoked when this |
|
|
313 | callback is in effect, instead, the error message will be passed to C<on_starttls>. |
|
|
314 | |
|
|
315 | Without this callback, handshake failures lead to C<on_error> being |
|
|
316 | called, as normal. |
|
|
317 | |
|
|
318 | Note that you cannot call C<starttls> right again in this callback. If you |
|
|
319 | need to do that, start an zero-second timer instead whose callback can |
|
|
320 | then call C<< ->starttls >> again. |
309 | |
321 | |
310 | =item on_stoptls => $cb->($handle) |
322 | =item on_stoptls => $cb->($handle) |
311 | |
323 | |
312 | When a SSLv3/TLS shutdown/close notify/EOF is detected and this callback is |
324 | When a SSLv3/TLS shutdown/close notify/EOF is detected and this callback is |
313 | set, then it will be invoked after freeing the TLS session. If it is not, |
325 | set, then it will be invoked after freeing the TLS session. If it is not, |
… | |
… | |
349 | $self->no_delay (delete $self->{no_delay}) if exists $self->{no_delay}; |
361 | $self->no_delay (delete $self->{no_delay}) if exists $self->{no_delay}; |
350 | |
362 | |
351 | $self->starttls (delete $self->{tls}, delete $self->{tls_ctx}) |
363 | $self->starttls (delete $self->{tls}, delete $self->{tls_ctx}) |
352 | if $self->{tls}; |
364 | if $self->{tls}; |
353 | |
365 | |
354 | $self->on_drain (delete $self->{on_drain}) if exists $self->{on_drain}; |
366 | $self->on_drain (delete $self->{on_drain}) if $self->{on_drain}; |
355 | |
367 | |
356 | $self->start_read |
368 | $self->start_read |
357 | if $self->{on_read}; |
369 | if $self->{on_read}; |
358 | |
370 | |
359 | $self->{fh} && $self |
371 | $self->{fh} && $self |
… | |
… | |
575 | Scalar::Util::weaken $self; |
587 | Scalar::Util::weaken $self; |
576 | |
588 | |
577 | my $cb = sub { |
589 | my $cb = sub { |
578 | my $len = syswrite $self->{fh}, $self->{wbuf}; |
590 | my $len = syswrite $self->{fh}, $self->{wbuf}; |
579 | |
591 | |
580 | if ($len >= 0) { |
592 | if (defined $len) { |
581 | substr $self->{wbuf}, 0, $len, ""; |
593 | substr $self->{wbuf}, 0, $len, ""; |
582 | |
594 | |
583 | $self->{_activity} = AnyEvent->now; |
595 | $self->{_activity} = AnyEvent->now; |
584 | |
596 | |
585 | $self->{on_drain}($self) |
597 | $self->{on_drain}($self) |
… | |
… | |
1435 | my $err =Net::SSLeay::ERR_error_string (Net::SSLeay::ERR_get_error ()); |
1447 | my $err =Net::SSLeay::ERR_error_string (Net::SSLeay::ERR_get_error ()); |
1436 | |
1448 | |
1437 | # reduce error string to look less scary |
1449 | # reduce error string to look less scary |
1438 | $err =~ s/^error:[0-9a-fA-F]{8}:[^:]+:([^:]+):/\L$1: /; |
1450 | $err =~ s/^error:[0-9a-fA-F]{8}:[^:]+:([^:]+):/\L$1: /; |
1439 | |
1451 | |
|
|
1452 | if ($self->{_on_starttls}) { |
|
|
1453 | (delete $self->{_on_starttls})->($self, undef, $err); |
|
|
1454 | &_freetls; |
|
|
1455 | } else { |
|
|
1456 | &_freetls; |
1440 | $self->_error (&Errno::EPROTO, 1, $err); |
1457 | $self->_error (&Errno::EPROTO, 1, $err); |
|
|
1458 | } |
1441 | } |
1459 | } |
1442 | |
1460 | |
1443 | # poll the write BIO and send the data if applicable |
1461 | # poll the write BIO and send the data if applicable |
1444 | # also decode read data if possible |
1462 | # also decode read data if possible |
1445 | # this is basiclaly our TLS state machine |
1463 | # this is basiclaly our TLS state machine |
… | |
… | |
1461 | && ($tmp != $ERROR_SYSCALL || $!); |
1479 | && ($tmp != $ERROR_SYSCALL || $!); |
1462 | } |
1480 | } |
1463 | |
1481 | |
1464 | while (defined ($tmp = Net::SSLeay::read ($self->{tls}))) { |
1482 | while (defined ($tmp = Net::SSLeay::read ($self->{tls}))) { |
1465 | unless (length $tmp) { |
1483 | unless (length $tmp) { |
|
|
1484 | $self->{_on_starttls} |
|
|
1485 | and (delete $self->{_on_starttls})->($self, undef, "EOF during handshake"); # ??? |
1466 | &_freetls; |
1486 | &_freetls; |
|
|
1487 | |
1467 | if ($self->{on_stoptls}) { |
1488 | if ($self->{on_stoptls}) { |
1468 | $self->{on_stoptls}($self); |
1489 | $self->{on_stoptls}($self); |
1469 | return; |
1490 | return; |
1470 | } else { |
1491 | } else { |
1471 | # let's treat SSL-eof as we treat normal EOF |
1492 | # let's treat SSL-eof as we treat normal EOF |
… | |
… | |
1489 | $self->_drain_wbuf; |
1510 | $self->_drain_wbuf; |
1490 | } |
1511 | } |
1491 | |
1512 | |
1492 | $self->{_on_starttls} |
1513 | $self->{_on_starttls} |
1493 | and Net::SSLeay::state ($self->{tls}) == Net::SSLeay::ST_OK () |
1514 | and Net::SSLeay::state ($self->{tls}) == Net::SSLeay::ST_OK () |
1494 | and (delete $self->{_on_starttls})->($self, 1); |
1515 | and (delete $self->{_on_starttls})->($self, 1, "TLS/SSL connection established"); |
1495 | } |
1516 | } |
1496 | |
1517 | |
1497 | =item $handle->starttls ($tls[, $tls_ctx]) |
1518 | =item $handle->starttls ($tls[, $tls_ctx]) |
1498 | |
1519 | |
1499 | Instead of starting TLS negotiation immediately when the AnyEvent::Handle |
1520 | Instead of starting TLS negotiation immediately when the AnyEvent::Handle |
… | |
… | |
1570 | $self->{_wbio} = Net::SSLeay::BIO_new (Net::SSLeay::BIO_s_mem ()); |
1591 | $self->{_wbio} = Net::SSLeay::BIO_new (Net::SSLeay::BIO_s_mem ()); |
1571 | |
1592 | |
1572 | Net::SSLeay::set_bio ($ssl, $self->{_rbio}, $self->{_wbio}); |
1593 | Net::SSLeay::set_bio ($ssl, $self->{_rbio}, $self->{_wbio}); |
1573 | |
1594 | |
1574 | $self->{_on_starttls} = sub { $_[0]{on_starttls}(@_) } |
1595 | $self->{_on_starttls} = sub { $_[0]{on_starttls}(@_) } |
1575 | if exists $self->{on_starttls}; |
1596 | if $self->{on_starttls}; |
1576 | |
1597 | |
1577 | &_dotls; # need to trigger the initial handshake |
1598 | &_dotls; # need to trigger the initial handshake |
1578 | $self->start_read; # make sure we actually do read |
1599 | $self->start_read; # make sure we actually do read |
1579 | } |
1600 | } |
1580 | |
1601 | |
… | |
… | |
1604 | sub _freetls { |
1625 | sub _freetls { |
1605 | my ($self) = @_; |
1626 | my ($self) = @_; |
1606 | |
1627 | |
1607 | return unless $self->{tls}; |
1628 | return unless $self->{tls}; |
1608 | |
1629 | |
1609 | $self->{_on_starttls} |
|
|
1610 | and (delete $self->{_on_starttls})->($self, undef); |
|
|
1611 | |
|
|
1612 | $self->{tls_ctx}->_put_session (delete $self->{tls}); |
1630 | $self->{tls_ctx}->_put_session (delete $self->{tls}); |
1613 | |
1631 | |
1614 | delete @$self{qw(_rbio _wbio _tls_wbuf)}; |
1632 | delete @$self{qw(_rbio _wbio _tls_wbuf _on_starttls)}; |
1615 | } |
1633 | } |
1616 | |
1634 | |
1617 | sub DESTROY { |
1635 | sub DESTROY { |
1618 | my ($self) = @_; |
1636 | my ($self) = @_; |
1619 | |
1637 | |
… | |
… | |
1755 | $handle->on_drain (sub { |
1773 | $handle->on_drain (sub { |
1756 | warn "all data submitted to the kernel\n"; |
1774 | warn "all data submitted to the kernel\n"; |
1757 | undef $handle; |
1775 | undef $handle; |
1758 | }); |
1776 | }); |
1759 | |
1777 | |
|
|
1778 | If you just want to queue some data and then signal EOF to the other side, |
|
|
1779 | consider using C<< ->push_shutdown >> instead. |
|
|
1780 | |
|
|
1781 | =item I want to contact a TLS/SSL server, I don't care about security. |
|
|
1782 | |
|
|
1783 | If your TLS server is a pure TLS server (e.g. HTTPS) that only speaks TLS, |
|
|
1784 | simply connect to it and then create the AnyEvent::Handle with the C<tls> |
|
|
1785 | parameter: |
|
|
1786 | |
|
|
1787 | tcp_connect $host, $port, sub { |
|
|
1788 | my ($fh) = @_; |
|
|
1789 | |
|
|
1790 | my $handle = new AnyEvent::Handle |
|
|
1791 | fh => $fh, |
|
|
1792 | tls => "connect", |
|
|
1793 | on_error => sub { ... }; |
|
|
1794 | |
|
|
1795 | $handle->push_write (...); |
|
|
1796 | }; |
|
|
1797 | |
|
|
1798 | =item I want to contact a TLS/SSL server, I do care about security. |
|
|
1799 | |
|
|
1800 | Then you should additionally enable certificate verification, including |
|
|
1801 | peername verification, if the protocol you use supports it (see |
|
|
1802 | L<AnyEvent::TLS>, C<verify_peername>). |
|
|
1803 | |
|
|
1804 | E.g. for HTTPS: |
|
|
1805 | |
|
|
1806 | tcp_connect $host, $port, sub { |
|
|
1807 | my ($fh) = @_; |
|
|
1808 | |
|
|
1809 | my $handle = new AnyEvent::Handle |
|
|
1810 | fh => $fh, |
|
|
1811 | peername => $host, |
|
|
1812 | tls => "connect", |
|
|
1813 | tls_ctx => { verify => 1, verify_peername => "https" }, |
|
|
1814 | ... |
|
|
1815 | |
|
|
1816 | Note that you must specify the hostname you connected to (or whatever |
|
|
1817 | "peername" the protocol needs) as the C<peername> argument, otherwise no |
|
|
1818 | peername verification will be done. |
|
|
1819 | |
|
|
1820 | The above will use the system-dependent default set of trusted CA |
|
|
1821 | certificates. If you want to check against a specific CA, add the |
|
|
1822 | C<ca_file> (or C<ca_cert>) arguments to C<tls_ctx>: |
|
|
1823 | |
|
|
1824 | tls_ctx => { |
|
|
1825 | verify => 1, |
|
|
1826 | verify_peername => "https", |
|
|
1827 | ca_file => "my-ca-cert.pem", |
|
|
1828 | }, |
|
|
1829 | |
|
|
1830 | =item I want to create a TLS/SSL server, how do I do that? |
|
|
1831 | |
|
|
1832 | Well, you first need to get a server certificate and key. You have |
|
|
1833 | three options: a) ask a CA (buy one, use cacert.org etc.) b) create a |
|
|
1834 | self-signed certificate (cheap. check the search engine of your choice, |
|
|
1835 | there are many tutorials on the net) or c) make your own CA (tinyca2 is a |
|
|
1836 | nice program for that purpose). |
|
|
1837 | |
|
|
1838 | Then create a file with your private key (in PEM format, see |
|
|
1839 | L<AnyEvent::TLS>), followed by the certificate (also in PEM format). The |
|
|
1840 | file should then look like this: |
|
|
1841 | |
|
|
1842 | -----BEGIN RSA PRIVATE KEY----- |
|
|
1843 | ...header data |
|
|
1844 | ... lots of base64'y-stuff |
|
|
1845 | -----END RSA PRIVATE KEY----- |
|
|
1846 | |
|
|
1847 | -----BEGIN CERTIFICATE----- |
|
|
1848 | ... lots of base64'y-stuff |
|
|
1849 | -----END CERTIFICATE----- |
|
|
1850 | |
|
|
1851 | The important bits are the "PRIVATE KEY" and "CERTIFICATE" parts. Then |
|
|
1852 | specify this file as C<cert_file>: |
|
|
1853 | |
|
|
1854 | tcp_server undef, $port, sub { |
|
|
1855 | my ($fh) = @_; |
|
|
1856 | |
|
|
1857 | my $handle = new AnyEvent::Handle |
|
|
1858 | fh => $fh, |
|
|
1859 | tls => "accept", |
|
|
1860 | tls_ctx => { cert_file => "my-server-keycert.pem" }, |
|
|
1861 | ... |
|
|
1862 | |
|
|
1863 | When you have intermediate CA certificates that your clients might not |
|
|
1864 | know about, just append them to the C<cert_file>. |
|
|
1865 | |
1760 | =back |
1866 | =back |
1761 | |
1867 | |
1762 | |
1868 | |
1763 | =head1 SUBCLASSING AnyEvent::Handle |
1869 | =head1 SUBCLASSING AnyEvent::Handle |
1764 | |
1870 | |