Hi,

I'm trying to write SSL server using your library and I intend to heavily customize SSL context. The issue I'm having is that SSL_CTX is only available when server is started. This poses two issues for me:

• SSL server starts with some default configuration and will run with configuration for a brief moment meaning it in theory will be able to accept SSL connections before all security settings are applied. This is miniscule but still security flaw in the design.
• OpenSSL documentation is explicitly suggest against modifying SSL_CTX after it had been used to create SSL sessions, which is always a possibility with the current API.

Here are some suggestions you may consider:

• leave it to the API user to create an SSL_CTX of their liking.
• pass the SSL_CTX to ad_server_start() or as an option of ad_server (or NULL if no SSL support is needed).
• remove server.enable_ssl, server.ssl_cert, server.ssl_pkey server options
• optionally, provide an utility method to create simple SSL_CTX as a starting point for simple applications, something along these lines SSL_CTX *ad_create_ssl_context (const char *cert_path, const char *priv_key_path).

When including asyncd/ad_server.h it complains about qlibc's headers. Can you also install qlibc if it is not already there, when you do make install? Otherwise you get an unusable install.

Hello,

Firstly, thanks for share this nice library, I did some tests (using helloworld_http_server demo) with JMeter and I'm impressed with libasyncd performance, it's so fast like Civetweb HTTP server and NodeJS! =)

However, I don't know C, so I can't understand libasyncd sources to check about this possibility: to use the libasyncd.so/dll to create a HTTP/HTTPS server with Free Pascal [¹].

[¹] Creating bindings for C libraries.

Hello, to make a simple testcase, modify helloworld_http_server.c:

int my_http_get_handler(short event, ad_conn_t *conn, void *userdata) {
    struct ad_http_s *http;
    if (ad_http_get_status(conn) == AD_HTTP_REQ_DONE) {
        // get the http struct pointer
        http = ad_conn_get_extra(conn);
        // check if the request matches our shutdown command
        if (strcmp("/SHUTDOWN",http->request.path) == 0) {
          ad_http_set_response_header(conn,"Content-Length","13");
          ad_http_response(conn, 200, "text/plain", "Shutting down", 13);
          ad_server_stop(conn->server);
        } else {
          ad_http_response(conn, 200, "text/html", "Hello World", 11);
        }
        return ad_http_is_keepalive_request(conn) ? AD_DONE : AD_CLOSE;
    }
    return AD_OK;
}

and in main:

int main(int argc, char **argv) {
    int rc;
    ad_log_level(AD_LOG_DEBUG);
    ad_server_t *server = ad_server_new();
    ad_server_set_option(server, "server.port", "8888");
    // set a timeout, so the client actually renders the content
    ad_server_set_option(server, "server.timeout", "2");
    ad_server_register_hook(server, ad_http_handler, NULL); // HTTP Parser is also a hook.
    ad_server_register_hook_on_method(server, "GET", my_http_get_handler, NULL);
    ad_server_register_hook(server, my_http_default_handler, NULL);
    rc = ad_server_start(server);
    ad_server_free(server);
    return rc;
}

Start the server. Issue a test request for '/'. Get 'Hello World'. Issue a request for '/SHUTDOWN'. Get 'Shutting down'. Here's the last few lines of the log output:

[DEBUG] Connection closed. [conn_cb(),ad_server.c:751]
[DEBUG] Existing loop. [notify_cb(),ad_server.c:503]
[DEBUG] Loop finished [server_loop(),ad_server.c:512]
[DEBUG] Closing server. [close_server(),ad_server.c:519]
[INFO] Server closed.
[DEBUG] Server terminated. [ad_server_free(),ad_server.c:330]
Segmentation fault

uname -a: Linux sgmtech 3.2.0-4-686-pae #1 SMP Debian 3.2.65-1+deb7u2 i686 GNU/Linux distro : Debian 7, stock kernel. Libevent version: 2.0.19-stable

I am occasionally getting extra characters when using ad_http_get_content.

post = ad_http_get_content(conn, http->request.contentlength, 0);

Below is a screenshot. Also, that is not a real API key.

Most of the time it is just gibberish. I have seen the domain name appended to post. See screenshot below:

I'm afraid there is a memory leak in my code or the ad_http_get_content function.

I am using SSL. If you need to see my code, it's currently in a private repo, but I can add you to it.

Thanks!

SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage.

According to OpenSSL docs.

Hello,

Is asyncd library compilable on Windows? I'm trying to compile it, but:

fatal error: arpa/inet.h: No such file or directory

Based in this error, so I believe that it is only for Unix systems.

Thank you!

I'm getting a segfault when using SSL mode. Here is a trace from gdb:

...
[DEBUG] conn_cb: status:0x0, event:0x4 [conn_cb(),ad_server.c:724]
[DEBUG] call_hooks: event 0x4 [call_hooks(),ad_server.c:758]
[DEBUG] ==> HTTP WRITE [ad_http_handler(),ad_http_handler.c:101]
[DEBUG] call_hooks: event 0x8 [call_hooks(),ad_server.c:758]
[DEBUG] ==> HTTP CLOSE=8 (TIMEOUT=0, SHUTDOWN=0) [ad_http_handler(),ad_http_handler.c:105]
[DEBUG] Connection closed. [conn_cb(),ad_server.c:751]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffb3fff700 (LWP 21411)]
0x00007ffff672e9e6 in evbuffer_get_length () from /usr/lib/libevent-2.0.so.5
(gdb) bt
#0  0x00007ffff672e9e6 in evbuffer_get_length () from /usr/lib/libevent-2.0.so.5
#1  0x0000000000421dbc in ad_http_send_header (conn=<optimized out>) at ad_http_handler.c:345
#2  0x0000000000422078 in ad_http_send_data (conn=0x7fffac006160, data=0x42b17a, size=11) at ad_http_handler.c:367
#3  0x000000000040d51f in _http_get_handler (event=2, conn=0x7fffac006160, userdata=0x0) at ak-http-connector.c:80
#4  0x000000000041f6f6 in call_hooks (event=2, conn=0x7fffac006160) at ad_server.c:769
#5  0x00000000004204ec in conn_cb (conn=0x7fffac006160, event=2) at ad_server.c:726
#6  0x00007ffff6963369 in ?? () from /usr/lib/libevent_openssl-2.0.so.5
#7  0x00007ffff696397a in ?? () from /usr/lib/libevent_openssl-2.0.so.5
#8  0x00007ffff6963a08 in ?? () from /usr/lib/libevent_openssl-2.0.so.5
#9  0x00007ffff67299cc in event_base_loop () from /usr/lib/libevent-2.0.so.5
#10 0x000000000041f5b1 in server_loop (instance=0x650700) at ad_server.c:511
#11 0x00007ffff6145e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007ffff644e8bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000000000 in ?? ()

The test program is the one from README.md with minor tweaks to SSL_CTX_*. The code is executed on Ubuntu 12.04. And requests are generated from https://www.ssllabs.com/ssltest/index.html.

Any ideas?

…systems. Currently uses ifdef's; future revisions may abstract into an interface.

This change was tested on FreeBSD and Arch Linux. The Linux version still uses eventfd as before, but the BSD version uses kqueue, which in theory is supported across FreeBSD, NetBSD and OpenBSD as well as Mac OS X.

Some places like https://github.com/wolkykim/libasyncd/blob/40768e1adc67c9fc700541a9a69166b45e78f403/src/ad_http_handler.c#L279 are assuming that off_t is 64bits which by default is not the case when compiling on 32 bits. Adding -D_FILE_OFFSET_BITS=64 to the Makefile.in.

Without it, Content-Length (to name one) is broken:

$ curl -I http://localhost:1337
HTTP/1.1 200 OK
Content-Length: 47244640258
Content-Type: text/plain
Connection: Keep-Alive

• fix submake calls
• fix missing DESTDIR
• adding makefile option QLIBC to wether or not recover qlibc at compile time (call "make QLIBC=system" to NOT recover qlibc)
• modifying README concequently

Hello there! I'm currently trying to write multithreaded servers in C++ and decided to use Libasyncd, as it seemed simple and straightforward to work with. I already managed to write a simple http server following the examples, but it looks like your library only allows it to work in one thread. I also tried changing the "server.thread" setting to "1", but this just caused the server to stop working without any errors. Apparently, it is not sent to a separate thread, as well as it is not launched in several threads, since when sending a request into the url of my server, I get "Connection refused". So, my question is:

1. (most importantly) is it possible to use this library to start the server in several(let's say in 4) threads, without running the code 4 times in 4 different sessions?
2. what is the "server.thread" parameter responsible for, how should it work, and when should it be used? This was not clear from the documentation.
3. if you can't use multithreading using the library, can you suggest different ways to solve this problem?

I would be very grateful if I get answers to these questions! Thank you!

Hi, i have started 6 server threads which are running independantly, and there is a need for me to stop them at some instance of execution. while i was invoking the function ad_server_stop(server*) the code was getting stuck at : pthread_join function. "Waiting server's last loop to finish"

But after modifying the code like below it started working. if (server->thread) { void *retval = NULL; DEBUG("Waiting server's last loop to finish."); pthread_join((server->thread), &retval); //// earlier the argument to this function was (*pthread_t) which is wrong , it should be just pthread_t. free(retval); free(server->thread); server->thread = NULL; }

Hey.

I've been looking for a c/c++ library that can be used to make a https web server.

How do I combine the SSL and http server examples so that I can make an https server?

Best,

Rick

I was starting to implement a simple HTTP application using libsyncd when I noticed currently there seems to be no mechanism to limit the size of requests. This can be exploited by an attacker by sending an arbitrary amount of data to a server. While the user may provide code to impose a limit for simple TCP it seems to me that is not the case for HTTP requests using ad_http_handler().

Explanation

To process a HTTP request ad_http_handler() can be used. This function calls http_parser(), which returns AD_TAKEOVER except when the request is complete (both header and body have been received). Therefore, the user's callbacks are not called while the request is not complete, which means

• the user cannot verify how much data has been received;
• all the received data will stay in the RAM while the request is not complete (since the user's callbacks aren't called to process the data).

This leads to a simple attack vector enabling to exhaust the memory of a server.

Mitigation

The best way I could think of to mitigate this vulnerability (of course you might have a better one) is to define a maximum request length per server. A default value should be provided (for example 10 MB) which the user could override with ad_server_set_option(). This would "protect" both raw TCP and HTTP(S) applications.

At first I thought of rejecting requests based on the Content-Length header, but

• raw TCP would be left unprotected (unless the user implemented a limit, which he might not do because he did not thing about this type of attack)
• Content-Length refers only to the body of the request, meaning the headers would still be vulnerable
• Content-Length is not absolutely required by HTTP/1.1

However, using the content length header might still be useful for early rejections: for example if Content-Length states the body will contain 1 GB but our server only accepts 10 MB then the request could be rejected right away.

As a last note: when refusing a HTTP request for being too long, a response with a HTTP 413 status code could be sent before closing the connection (so that the client is not left in the dark as to why it was closed).

I hope this can help improving the security of libasyncd :)

Is it (somewhat easily) possible to have different callbacks registered on different ports (e.g.because the implement different protocols) without threads? And for this, one needs to (also) hook some buffer transfer logic as the daemon mustn't block.

So the basic idea is:

• register various callbacks to various (different) ports
• the callbacks are called if data is available. the callback functions buffer the data and handle it, if enough data is here (e.a. a complete request).
• the response is constructed (non-blocking) and stored in some buffer (and is gradually transmitted).

Using threads just adds the complexity for internal explicit synchronization ....

Hello,

I'm using this library in a multithreaded environment. When a new request arrives I add a new thread in a Thread pool. I managed to write from here using evbuffer_add.

I managed to do something by setting userdata. and at every event I check the content to know if I should return AD_CLOSE.

Is there a better way to do this ?

Thanks a lot