1 After applying this patch, run these commands for a successful build:
11 I've been hacking together a way to use rsync with OpenSSL, and have
12 attached my current patch against a recent CVS tree. The details of
13 this implementation are:
15 1. The SSL code is added as a "layer" that is forked into its own
18 2. An SSL connection is established by the client issuing the
23 And, if the server allows SSL, it replies with
27 At which point both sides begin negotiating the SSL connection.
28 Servers that can't or don't want to use SSL just treat it as a
29 normal unknown command.
31 3. The SSL code is meant to be unobtrusive, and when this patch is
32 applied the program may still be built with no SSL code.
34 4. There are a number of details not implemented.
36 All warnings apply; I don't do C programming all that often, so I
37 can't say if I've left any cleanup/compatibility errors in the code.
40 --- orig/Makefile.in 2004-11-03 11:56:03
41 +++ Makefile.in 2004-10-08 20:17:06
42 @@ -39,7 +39,7 @@ OBJS3=progress.o pipe.o
43 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
44 popt_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
45 popt/popthelp.o popt/poptparse.o
46 -OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@
47 +OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@ @SSL_OBJS@
49 TLS_OBJ = tls.o syscall.o lib/compat.o lib/snprintf.o lib/permstring.o
51 --- orig/cleanup.c 2005-01-28 23:01:07
52 +++ cleanup.c 2005-01-10 10:43:22
60 extern int keep_partial;
61 extern int log_got_error;
62 extern char *partial_dir;
63 @@ -97,6 +100,11 @@ void _exit_cleanup(int code, const char
64 signal(SIGUSR1, SIG_IGN);
65 signal(SIGUSR2, SIG_IGN);
73 rprintf(FINFO,"_exit_cleanup(code=%d, file=%s, line=%d): entered\n",
75 --- orig/clientserver.c 2005-02-01 10:39:22
76 +++ clientserver.c 2004-10-08 20:44:59
77 @@ -45,6 +45,9 @@ extern int select_timeout;
78 extern int orig_umask;
80 extern int default_af_hint;
84 extern char *bind_address;
85 extern struct filter_list_struct server_filter_list;
86 extern char *config_file;
87 @@ -100,8 +103,18 @@ int start_socket_client(char *host, char
88 exit_cleanup(RERR_SOCKETIO);
90 ret = start_inband_exchange(user, path, fd, fd, argc);
96 + int f_in = get_tls_rfd();
97 + int f_out = get_tls_wfd();
98 + return client_run(f_in, f_out, -1, argc, argv);
102 - return ret < 0? ret : client_run(fd, fd, -1, argc, argv);
103 + return client_run(fd, fd, -1, argc, argv);
106 int start_inband_exchange(char *user, char *path, int f_in, int f_out,
107 @@ -162,6 +175,33 @@ int start_inband_exchange(char *user, ch
109 print_child_argv(sargs);
113 + io_printf(f_out, "#starttls\n");
115 + if (!read_line(f_in, line, sizeof(line)-1)) {
116 + rprintf(FERROR, "rsync: did not receive reply to #starttls\n");
119 + if (strncmp(line, "@ERROR", 6) == 0) {
120 + rprintf(FERROR, "%s\n", line);
123 + if (strcmp(line, "@RSYNCD: starttls") == 0) {
126 + rprintf(FINFO, "%s\n", line);
128 + if (start_tls(f_in, f_out)) {
129 + rprintf(FERROR, "rsync: error during SSL handshake: %s\n",
133 + f_in = get_tls_rfd();
134 + f_out = get_tls_wfd();
138 p = strchr(path,'/');
140 io_printf(f_out, "%s\n", path);
141 @@ -190,6 +230,10 @@ int start_inband_exchange(char *user, ch
142 * server to terminate the listing of modules.
143 * We don't want to go on and transfer
144 * anything; just exit. */
152 @@ -197,6 +241,10 @@ int start_inband_exchange(char *user, ch
153 rprintf(FERROR, "%s\n", line);
154 /* This is always fatal; the server will now
155 * close the socket. */
160 return RERR_STARTCLIENT;
162 rprintf(FINFO,"%s\n", line);
163 @@ -523,6 +571,7 @@ static void send_listing(int fd)
164 io_printf(fd,"@RSYNCD: EXIT\n");
168 /* this is called when a connection is established to a client
169 and we want to start talking. The setup of the system is done from
171 @@ -572,6 +621,9 @@ int start_daemon(int f_in, int f_out)
172 if (protocol_version > remote_protocol)
173 protocol_version = remote_protocol;
179 if (!read_line(f_in, line, sizeof line - 1))
181 @@ -581,6 +633,20 @@ int start_daemon(int f_in, int f_out)
186 + if (use_ssl && strcmp(line, "#starttls") == 0) {
187 + io_printf(f_out, "@RSYNCD: starttls\n");
188 + if (start_tls(f_in, f_out)) {
189 + rprintf(FLOG, "SSL connection failed: %s\n",
193 + f_in = get_tls_rfd();
194 + f_out = get_tls_wfd();
200 /* it's some sort of command that I don't understand */
201 io_printf(f_out, "@ERROR: Unknown command '%s'\n", line);
202 --- orig/configure.in 2005-01-28 23:01:08
203 +++ configure.in 2004-07-03 20:22:28
204 @@ -271,6 +271,21 @@ yes
205 AC_SEARCH_LIBS(getaddrinfo, inet6)
208 +AC_ARG_ENABLE(openssl,
209 + AC_HELP_STRING([--enable-openssl], [compile SSL support with OpenSSL.]))
211 +if test "x$enable_openssl" != xno
214 + AC_CHECK_LIB(ssl, SSL_library_init, , [have_ssl=no])
215 + if test "x$have_ssl" = xyes
217 + AC_DEFINE(HAVE_OPENSSL, 1, [true if you want to use SSL.])
223 AC_MSG_CHECKING([whether to call shutdown on all sockets])
225 *cygwin* ) AC_MSG_RESULT(yes)
226 --- orig/main.c 2005-01-30 10:07:21
227 +++ main.c 2004-10-08 20:15:28
228 @@ -56,6 +56,9 @@ extern int write_batch;
230 extern int batch_gen_fd;
231 extern int filesfrom_fd;
235 extern pid_t cleanup_child_pid;
236 extern char *files_from;
237 extern char *remote_filesfrom_file;
238 @@ -835,33 +838,48 @@ static int start_client(int argc, char *
239 if ((rc = copy_argv(argv)))
242 - /* rsync:// always uses rsync server over direct socket connection */
243 - if (strncasecmp(URL_PREFIX, argv[0], strlen(URL_PREFIX)) == 0
246 + if (!read_batch) { /* for read_batch, NO source is specified */
247 + int url_prefix_len = sizeof URL_PREFIX - 1;
249 - host = argv[0] + strlen(URL_PREFIX);
250 - p = strchr(host,'/');
256 - if (*host == '[' && (p = strchr(host, ']')) != NULL) {
262 - p = strchr(host, ':');
264 - rsync_port = atoi(p+1);
266 + /* rsync:// always uses rsync server over direct socket connection */
267 + if (strncasecmp(URL_PREFIX, argv[0], url_prefix_len) != 0) {
269 + url_prefix_len = sizeof SSL_URL_PREFIX - 1;
270 + if (strncasecmp(SSL_URL_PREFIX, argv[0], url_prefix_len) != 0)
271 + url_prefix_len = 0;
278 + url_prefix_len = 0;
281 + if (url_prefix_len) {
284 + host = argv[0] + url_prefix_len;
285 + p = strchr(host,'/');
291 + if (*host == '[' && (p = strchr(host, ']')) != NULL) {
297 + p = strchr(host, ':');
299 + rsync_port = atoi(p+1);
302 + return start_socket_client(host, path, argc-1, argv+1);
304 - return start_socket_client(host, path, argc-1, argv+1);
307 - if (!read_batch) { /* for read_batch, NO source is specified */
308 p = find_colon(argv[0]);
309 if (p) { /* source is remote */
310 if (remote_filesfrom_file
311 @@ -893,12 +911,26 @@ static int start_client(int argc, char *
313 } else { /* source is local */
316 + url_prefix_len = sizeof URL_PREFIX - 1;
317 /* rsync:// destination uses rsync server over direct socket */
318 - if (strncasecmp(URL_PREFIX, argv[argc-1], strlen(URL_PREFIX)) == 0) {
319 + if (strncasecmp(URL_PREFIX, argv[argc-1], url_prefix_len) != 0) {
321 + url_prefix_len = sizeof SSL_URL_PREFIX - 1;
322 + if (strncasecmp(SSL_URL_PREFIX, argv[argc-1], url_prefix_len) != 0)
323 + url_prefix_len = 0;
330 + url_prefix_len = 0;
333 + if (url_prefix_len) {
336 - host = argv[argc-1] + strlen(URL_PREFIX);
337 + host = argv[argc-1] + url_prefix_len;
338 p = strchr(host,'/');
341 --- orig/options.c 2005-02-01 10:39:22
342 +++ options.c 2004-11-27 18:31:46
343 @@ -144,6 +144,14 @@ int quiet = 0;
344 int always_checksum = 0;
349 +char *ssl_cert_path = NULL;
350 +char *ssl_key_path = NULL;
351 +char *ssl_key_passwd = NULL;
352 +char *ssl_ca_path = NULL;
355 #define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */
356 char *batch_name = NULL;
358 @@ -166,6 +174,7 @@ static void print_rsync_version(enum log
359 char const *hardlinks = "no ";
360 char const *links = "no ";
361 char const *ipv6 = "no ";
362 + char const *ssl = "no ";
363 STRUCT_STAT *dumstat;
366 @@ -188,6 +197,10 @@ static void print_rsync_version(enum log
374 rprintf(f, "%s version %s protocol version %d\n",
375 RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION);
377 @@ -201,10 +214,10 @@ static void print_rsync_version(enum log
378 /* Note that this field may not have type ino_t. It depends
379 * on the complicated interaction between largefile feature
381 - rprintf(f, " %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums\n",
382 + rprintf(f, " %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums, %sssl\n",
384 (int) (sizeof dumstat->st_ino * 8),
385 - (int) (sizeof (int64) * 8));
386 + (int) (sizeof (int64) * 8), ssl);
387 #ifdef MAINTAINER_MODE
388 rprintf(f, " panic action: \"%s\"\n",
390 @@ -331,6 +344,13 @@ void usage(enum logcode F)
391 rprintf(F," -4, --ipv4 prefer IPv4\n");
392 rprintf(F," -6, --ipv6 prefer IPv6\n");
395 + rprintf(F," --ssl allow socket connections to use SSL\n");
396 + rprintf(F," --ssl-cert=FILE path to server's SSL certificate\n");
397 + rprintf(F," --ssl-key=FILE path to server's SSL private key\n");
398 + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n");
399 + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n");
401 rprintf(F," -h, --help show this help screen\n");
403 rprintf(F,"\nUse \"rsync --daemon --help\" to see the daemon-mode command-line options.\n");
404 @@ -341,7 +361,7 @@ void usage(enum logcode F)
405 enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM,
406 OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST,
407 OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW,
408 - OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_TIMEOUT, OPT_MAX_SIZE,
409 + OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_TIMEOUT, OPT_MAX_SIZE, OPT_USE_SSL,
410 OPT_REFUSED_BASE = 9000};
412 static struct poptOption long_options[] = {
413 @@ -436,6 +456,13 @@ static struct poptOption long_options[]
414 {"ipv4", '4', POPT_ARG_VAL, &default_af_hint, AF_INET, 0, 0 },
415 {"ipv6", '6', POPT_ARG_VAL, &default_af_hint, AF_INET6, 0, 0 },
418 + {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0},
419 + {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
420 + {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
421 + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
422 + {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
424 /* All these options switch us into daemon-mode option-parsing. */
425 {"address", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 },
426 {"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 },
427 @@ -802,6 +829,12 @@ int parse_arguments(int *argc, const cha
428 basis_dir[basis_dir_cnt++] = (char *)arg;
438 /* A large opt value means that set_refuse_options()
439 * turned this option off (opt-BASE is its index). */
440 @@ -1018,6 +1051,17 @@ int parse_arguments(int *argc, const cha
441 if (delay_updates && !partial_dir)
442 partial_dir = ".~tmp~";
447 + snprintf(err_buf, sizeof(err_buf),
448 + "Openssl error: %s\n",
458 --- orig/rsync.h 2005-02-03 02:04:20
459 +++ rsync.h 2004-10-08 21:01:33
462 #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock"
463 #define URL_PREFIX "rsync://"
464 +#define SSL_URL_PREFIX "rsyncs://"
466 #define BACKUP_SUFFIX "~"
468 @@ -386,6 +387,11 @@ enum msgcode {
469 # define SIZEOF_INT64 SIZEOF_OFF_T
473 +#include <openssl/ssl.h>
474 +#include <openssl/err.h>
477 /* Starting from protocol version 26, we always use 64-bit
478 * ino_t and dev_t internally, even if this platform does not
479 * allow files to have 64-bit inums. That's because the
480 --- orig/ssl.c 2004-10-08 19:37:22
481 +++ ssl.c 2004-10-08 19:37:22
483 +/* -*- c-file-style: "linux" -*-
484 + * ssl.c: operations for negotiating SSL rsync connections.
486 + * Copyright (C) 2003 Casey Marshall <rsdio@metastatic.org>
488 + * This program is free software; you can redistribute it and/or modify
489 + * it under the terms of the GNU General Public License as published by
490 + * the Free Software Foundation; either version 2 of the License, or
491 + * (at your option) any later version.
493 + * This program is distributed in the hope that it will be useful,
494 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
495 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
496 + * GNU General Public License for more details.
498 + * You should have received a copy of the GNU General Public License
499 + * along with this program; if not, write to the Free Software
500 + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
505 +#if HAVE_SYS_SELECT_H
506 +#include <sys/select.h>
508 +#include <sys/time.h>
509 +#include <sys/types.h>
514 +#define BUF_SIZE 1024
517 +extern int am_daemon;
518 +extern int am_server;
520 +extern char *ssl_cert_path;
521 +extern char *ssl_key_path;
522 +extern char *ssl_key_passwd;
523 +extern char *ssl_ca_path;
525 +static SSL_CTX *ssl_ctx;
527 +static int tls_read[2] = { -1, -1 };
528 +static int tls_write[2] = { -1, -1 };
529 +static int ssl_running;
530 +static int ssl_pid = -1;
533 + * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb,
534 + * which merely copies the value of ssl_key_passwd into buf. This is
535 + * used for when the private key password is supplied via an option.
537 +static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u))
539 + if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd))
541 + strncpy(buf, ssl_key_passwd, n-1);
542 + return strlen(ssl_key_passwd);
546 + * If verbose, this method traces the status of the SSL handshake.
548 +static void info_callback(const SSL *ssl, int cb, int val)
555 + cbs = "SSL_CB_LOOP";
558 + cbs = "SSL_CB_EXIT";
561 + cbs = "SSL_CB_READ";
564 + cbs = "SSL_CB_WRITE";
567 + cbs = "SSL_CB_ALERT";
569 + case SSL_CB_READ_ALERT:
570 + cbs = "SSL_CB_READ_ALERT";
572 + case SSL_CB_WRITE_ALERT:
573 + cbs = "SSL_CB_WRITE_ALERT";
575 + case SSL_CB_ACCEPT_LOOP:
576 + cbs = "SSL_CB_ACCEPT_LOOP";
578 + case SSL_CB_ACCEPT_EXIT:
579 + cbs = "SSL_CB_ACCEPT_EXIT";
581 + case SSL_CB_CONNECT_LOOP:
582 + cbs = "SSL_CB_CONNECT_LOOP";
584 + case SSL_CB_CONNECT_EXIT:
585 + cbs = "SSL_CB_CONNECT_EXIT";
587 + case SSL_CB_HANDSHAKE_START:
588 + cbs = "SSL_CB_HANDSHAKE_START";
590 + case SSL_CB_HANDSHAKE_DONE:
591 + cbs = "SSL_CB_HANDSHAKE_DONE";
594 + snprintf(buf, sizeof buf, "??? (%d)", cb);
599 + rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val);
600 + if (cb == SSL_CB_HANDSHAKE_DONE) {
601 + SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl),
603 + rprintf(FLOG, "SSL: cipher: %s", buf);
609 + * Initializes the SSL context for TLSv1 connections; returns zero on
616 + SSL_library_init();
617 + SSL_load_error_strings();
618 + ssl_ctx = SSL_CTX_new(TLSv1_method());
621 + SSL_CTX_set_info_callback(ssl_ctx, info_callback);
623 + /* Sets the certificate sent to the other party. */
624 + if (ssl_cert_path != NULL
625 + && SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_path,
626 + SSL_FILETYPE_PEM) != 1)
628 + /* Set up the simple non-interactive callback if the password
629 + * was supplied on the command line. */
630 + if (ssl_key_passwd != NULL)
631 + SSL_CTX_set_default_passwd_cb(ssl_ctx, default_password_cb);
632 + /* Sets the private key that matches the public certificate. */
633 + if (ssl_key_path != NULL) {
634 + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, ssl_key_path,
635 + SSL_FILETYPE_PEM) != 1)
637 + if (SSL_CTX_check_private_key(ssl_ctx) != 1)
640 + if (ssl_ca_path != NULL
641 + && !SSL_CTX_load_verify_locations(ssl_ctx, ssl_ca_path, NULL))
648 + * Returns the error string for the current SSL error, if any.
650 +char *get_ssl_error(void)
652 + return ERR_error_string(ERR_get_error(), NULL);
656 + * Returns the input file descriptor for the SSL connection.
658 +int get_tls_rfd(void)
660 + return tls_read[0];
664 + * Returns the output file descriptor for the SSL connection.
666 +int get_tls_wfd(void)
668 + return tls_write[1];
672 + * Signal handler that ends the SSL connection.
674 +static RETSIGTYPE tls_sigusr1(int UNUSED(val))
685 + * Negotiates the TLS connection, creates a socket pair for communicating
686 + * with the rsync process, then forks into a new process that will handle
687 + * the communication.
689 + * 0 is returned on success.
691 +int start_tls(int f_in, int f_out)
695 + unsigned char buf1[BUF_SIZE], buf2[BUF_SIZE];
696 + int avail1 = 0, avail2 = 0, write1 = 0, write2 = 0;
699 + if (fd_pair(tls_read))
701 + if (fd_pair(tls_write))
704 + set_blocking(tls_read[0]);
705 + set_blocking(tls_read[1]);
706 + set_blocking(tls_write[0]);
707 + set_blocking(tls_write[1]);
708 + set_blocking(f_in);
709 + set_blocking(f_out);
711 + ssl_pid = do_fork();
714 + if (ssl_pid != 0) {
715 + close(tls_write[0]);
716 + close(tls_read[1]);
720 + signal(SIGUSR1, tls_sigusr1);
721 + ssl = SSL_new(ssl_ctx);
724 + if (am_daemon || am_server)
725 + SSL_set_accept_state(ssl);
727 + SSL_set_connect_state(ssl);
728 + SSL_set_rfd(ssl, f_in);
729 + SSL_set_wfd(ssl, f_out);
731 + tls_fd = SSL_get_fd(ssl);
733 + n = MAX(tls_read[1], n);
734 + n = MAX(tls_fd, n) + 1;
737 + while (ssl_running) {
740 + FD_SET(tls_write[0], &rd);
741 + FD_SET(tls_read[1], &wd);
742 + FD_SET(tls_fd, &rd);
743 + FD_SET(tls_fd, &wd);
745 + r = select(n, &rd, &wd, NULL, NULL);
747 + if (r == -1 && errno == EINTR)
749 + if (FD_ISSET(tls_write[0], &rd)) {
750 + r = read(tls_write[0], buf1+avail1, BUF_SIZE-avail1);
754 + rprintf(FERROR, "pipe read error: %s\n",
759 + if (FD_ISSET(tls_fd, &rd)) {
760 + r = SSL_read(ssl, buf2+avail2, BUF_SIZE-avail2);
764 + switch (SSL_get_error(ssl, r)) {
765 + case SSL_ERROR_ZERO_RETURN:
767 + case SSL_ERROR_WANT_READ:
768 + case SSL_ERROR_WANT_WRITE:
770 + case SSL_ERROR_SYSCALL:
772 + rprintf(FERROR, "SSL spurious EOF\n");
774 + rprintf(FERROR, "SSL I/O error: %s\n",
777 + case SSL_ERROR_SSL:
778 + rprintf(FERROR, "SSL: %s\n",
779 + ERR_error_string(ERR_get_error(), NULL));
782 + rprintf(FERROR, "unexpected ssl error %d\n", r);
787 + if (FD_ISSET(tls_read[1], &wd) && write2 < avail2) {
788 + r = write(tls_read[1], buf2+write2, avail2-write2);
792 + rprintf(FERROR, "pipe write error: %s\n",
797 + if (FD_ISSET(tls_fd, &wd) && write1 < avail1) {
798 + r = SSL_write(ssl, buf1+write1, avail1-write1);
802 + switch (SSL_get_error(ssl, r)) {
803 + case SSL_ERROR_ZERO_RETURN:
805 + case SSL_ERROR_WANT_READ:
806 + case SSL_ERROR_WANT_WRITE:
808 + case SSL_ERROR_SYSCALL:
810 + rprintf(FERROR, "SSL: spurious EOF\n");
812 + rprintf(FERROR, "SSL: I/O error: %s\n",
815 + case SSL_ERROR_SSL:
816 + rprintf(FERROR, "SSL: %s\n",
817 + ERR_error_string(ERR_get_error(), NULL));
820 + rprintf(FERROR, "unexpected ssl error %d\n", r);
825 + if (avail1 == write1)
826 + avail1 = write1 = 0;
827 + if (avail2 == write2)
828 + avail2 = write2 = 0;
831 + /* XXX I'm pretty sure that there is a lot that I am not considering
832 + here. Bugs? Yes, probably. */
834 + /* We're finished. */
836 + close(tls_read[1]);
837 + close(tls_write[0]);
842 + * Ends the TLS connection.
847 + kill(ssl_pid, SIGUSR1);