RubyGems - fluent-plugin-secure-forward - Versions diffs - 0.0.1 - Mend

fluent-plugin-secure-forward 0.0.1

Files changed (19) hide show

data/.gitignore +24 -0
data/Gemfile +4 -0
data/LICENSE.txt +13 -0
data/README.md +238 -0
data/Rakefile +2 -0
data/example/auth_client.conf +19 -0
data/example/auth_server.conf +30 -0
data/example/cert_client.conf +22 -0
data/example/cert_server.conf +34 -0
data/example/certs/cert.pem +18 -0
data/example/certs/key.pem +15 -0
data/example/client.conf +13 -0
data/example/server.conf +10 -0
data/fluent-plugin-secure-forward.gemspec +20 -0
data/lib/fluent/plugin/in_secure_forward.rb +402 -0
data/lib/fluent/plugin/out_secure_forward.rb +417 -0
data/test/plugin/test_in_secure_forward.rb +0 -0
data/test/plugin/test_out_secure_forward.rb +0 -0
metadata +129 -0

data/example/server.conf ADDED Viewed

@@ -0,0 +1,10 @@
+<source>
+  type secure_forward
+  self_hostname server
+  shared_key hogeposxxx0
+  cert_auto_generate yes
+</source>
+<match test.**>
+  type stdout
+</match>

data/fluent-plugin-secure-forward.gemspec ADDED Viewed

@@ -0,0 +1,20 @@
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |gem|
+  gem.name          = "fluent-plugin-secure-forward"
+  gem.version       = "0.0.1"
+  gem.authors       = ["TAGOMORI Satoshi"]
+  gem.email         = ["tagomoris@gmail.com"]
+  gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}
+  gem.description   = %q{This version is HIGHLY EXPERIMENTAL. DON'T USE IN PRODUCTION}
+  gem.homepage      = "https://github.com/tagomoris/fluent-plugin-secure-forward"
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.add_development_dependency "fluentd"
+  gem.add_development_dependency "fluent-mixin-config-placeholders"
+  gem.add_runtime_dependency "fluentd"
+  gem.add_runtime_dependency "fluent-mixin-config-placeholders"
+end

data/lib/fluent/plugin/in_secure_forward.rb ADDED Viewed

@@ -0,0 +1,402 @@
+# -*- coding: utf-8 -*-
+require 'fluent/mixin/config_placeholders'
+module Fluent
+  class SecureForwardInput < Input
+    DEFAULT_SECURE_LISTEN_PORT = 24284
+    Fluent::Plugin.register_input('secure_forward', self)
+    config_param :self_hostname, :string
+    include Fluent::Mixin::ConfigPlaceholders
+    config_param :shared_key, :string
+    config_param :bind, :string, :default => '0.0.0.0'
+    config_param :port, :integer, :default => DEFAULT_SECURE_LISTEN_PORT
+    config_param :allow_keepalive, :bool, :default => true #TODO: implement
+    config_param :allow_anonymous_source, :bool, :default => true
+    config_param :authentication, :bool, :default => false
+    ## meaningless for security...? not implemented yet
+    # config_param :dns_reverse_lookup_check, :bool, :default => false
+    config_param :cert_auto_generate, :bool, :default => false
+    config_param :generate_private_key_length, :integer, :default => 2048
+    config_param :generate_cert_country, :string, :default => 'US'
+    config_param :generate_cert_state, :string, :default => 'CA'
+    config_param :generate_cert_locality, :string, :default => 'Mountain View'
+    config_param :generate_cert_common_name, :string, :default => nil
+    config_param :cert_file_path, :string, :default => nil
+    config_param :private_key_file, :string, :default => nil
+    config_param :private_key_passphrase, :string, :default => nil
+    config_param :read_length, :size, :default => 8*1024*1024 # 8MB
+    config_param :read_interval_msec, :integer, :default => 50 # 50ms
+    config_param :socket_interval_msec, :integer, :default => 200 # 200ms
+    attr_reader :read_interval, :socket_interval
+    attr_reader :users # list of (username, password) by <user> tag
+    # <user>
+    #   username ....
+    #   password ....
+    # </user>
+    attr_reader :nodes # list of hosts, allowed to connect <server> tag (it includes source ip, shared_key(optional))
+    # <client>
+    #   host ipaddr/hostname
+    #   shared_key .... # optional shared key
+    #   users username,list,of,allowed
+    # </client>
+    attr_reader :sessions # node/socket/thread list which has sslsocket instance keepaliving to client
+    def initialize
+      super
+      require 'resolv'
+      require 'socket'
+      require 'openssl'
+      require 'digest'
+    end
+    def configure(conf)
+      super
+      unless @cert_auto_generate || @cert_file_path
+        raise Fluent::ConfigError, "One of 'cert_auto_generate' or 'cert_file_path' must be specified"
+      end
+      @read_interval = @read_interval_msec / 1000.0
+      @socket_interval = @socket_interval_msec / 1000.0
+      @users = []
+      @nodes = []
+      conf.elements.each do |element|
+        case element.name
+        when 'user'
+          unless element['username'] && element['password']
+            raise Fluent::ConfigError, "username/password pair missing in <user>"
+          end
+          @users.push({
+              username: element['username'],
+              password: element['password']
+            })
+        when 'client'
+          unless element['host']
+            raise Fluent::ConfigError, "host missing in <client>"
+          end
+          @nodes.push({
+              host: element['host'],
+              shared_key: (element['shared_key'] || @shared_key),
+              users: (element['users'] ? element['users'].split(',') : nil),
+            })
+        else
+          raise Fluent::ConfigError, "unknown config tag name"
+        end
+      end
+      @generate_cert_common_name ||= @self_hostname
+      self.certificate
+      true
+    end
+    def start
+      super
+      OpenSSL::Random.seed(File.read("/dev/random", 16))
+      @sessions = []
+      @sock = nil
+      @listener = Thread.new(&method(:run))
+    end
+    def shutdown
+      @listener.kill
+      @listener.join
+      @sessions.each{ |s| s.shutdown }
+      @sock.close
+    end
+    def select_authenticate_users(node, username)
+      if node.nil? || node[:users].nil?
+        @users.select{|u| u[:username] == username}
+      else
+        @users.select{|u| node[:users].include?(u[:username]) && u[:username] == username}
+      end
+    end
+    def certificate
+      return @cert, @key if @cert && @key
+      if @cert_auto_generate
+        key = OpenSSL::PKey::RSA.generate(@generate_private_key_length)
+        digest = OpenSSL::Digest::SHA1.new
+        issuer = subject = OpenSSL::X509::Name.new
+        subject.add_entry('C', @generate_cert_country)
+        subject.add_entry('ST', @generate_cert_state)
+        subject.add_entry('L', @generate_cert_locality)
+        subject.add_entry('CN', @generate_cert_common_name)
+        cer = OpenSSL::X509::Certificate.new
+        cer.not_before = Time.at(0)
+        cer.not_after = Time.at(0)
+        cer.public_key = key
+        cer.serial = 1
+        cer.issuer = issuer
+        cer.subject  = subject
+        cer.sign(key, digest)
+        @cert = cer
+        @key = key
+        return @cert, @key
+      end
+      @cert = OpenSSL::X509::Certificate.new(File.read(@cert_file_path))
+      @key = OpenSSL::PKey::RSA.new(File.read(@private_key_file), @private_key_passphrase)
+    end
+    def run # sslsocket server thread
+      cert, key = self.certificate
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = cert
+      ctx.key = key
+      server = TCPServer.new(@bind, @port)
+      @sock = OpenSSL::SSL::SSLServer.new(server, ctx)
+      loop do
+        while socket = @sock.accept
+          @sessions.push Session.new(self, socket)
+        end
+      end
+    end
+    def on_message(msg)
+      # NOTE: copy&paste from Fluent::ForwardInput#on_message(msg)
+      # TODO: format error
+      tag = msg[0].to_s
+      entries = msg[1]
+      if entries.class == String
+        # PackedForward
+        es = MessagePackEventStream.new(entries, @cached_unpacker)
+        Fluent::Engine.emit_stream(tag, es)
+      elsif entries.class == Array
+        # Forward
+        es = Fluent::MultiEventStream.new
+        entries.each {|e|
+          time = e[0].to_i
+          time = (now ||= Fluent::Engine.now) if time == 0
+          record = e[1]
+          es.add(time, record)
+        }
+        Fluent::Engine.emit_stream(tag, es)
+      else
+        # Message
+        time = msg[1]
+        time = Fluent::Engine.now if time == 0
+        record = msg[2]
+        Fluent::Engine.emit(tag, time, record)
+      end
+    end
+    class Session # Fluent::SecureForwardInput::Session
+      attr_accessor :receiver
+      attr_accessor :state, :thread, :node, :socket, :unpacker, :auth_salt
+      def initialize(receiver, socket)
+        @receiver = receiver
+        @state = :helo
+        @socket = socket
+        @socket.sync = true
+        @ipaddress = nil
+        @node = nil
+        @unpacker = MessagePack::Unpacker.new
+        @thread = Thread.new(&method(:start))
+      end
+      def established?
+        @state == :established
+      end
+      def generate_salt
+        OpenSSL::Random.random_bytes(16)
+      end
+      def check_node(hostname, ipaddress, port, proto)
+        node = nil
+        family = Socket.const_get(proto)
+        @receiver.nodes.each do |n|
+          proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(n[:host], port, family).first
+          if ipaddr == ipaddress
+            node = n
+            break
+          end
+        end
+        node
+      end
+      ## not implemented yet
+      # def check_hostname_reverse_lookup(ipaddress)
+      #   rev_name = Resolv.getname(ipaddress)
+      #   proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(rev_name, DUMMY_PORT)
+      #   unless ipaddr == ipaddress
+      #     return false
+      #   end
+      #   true
+      # end
+      def generate_helo
+        $log.debug "generating helo"
+        # ['HELO', options(hash)]
+        [ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
+      end
+      def check_ping(message)
+        $log.debug "checking ping"
+        # ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
+        #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+        unless message.size == 6 && message[0] == 'PING'
+          return false, 'invalid ping message'
+        end
+        ping, hostname, shared_key_salt, shared_key_hexdigest, username, password_digest = message
+        shared_key = if @node && @node[:shared_key]
+                       @node[:shared_key]
+                     else
+                       @receiver.shared_key
+                     end
+        serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
+        if shared_key_hexdigest != serverside
+          $log.warn "Shared key mismatch from '#{hostname}'"
+          return false, 'shared_key mismatch'
+        end
+        if @receiver.authentication
+          users = @receiver.select_authenticate_users(@node, username)
+          success = false
+          users.each do |user|
+            passhash = Digest::SHA512.new.update(@auth_key_salt).update(username).update(user[:password]).hexdigest
+            success ||= (passhash == password_digest)
+          end
+          unless success
+            $log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
+            return false, 'username/password mismatch'
+          end
+        end
+        return true, shared_key_salt
+      end
+      def generate_pong(auth_result, reason_or_salt)
+        $log.debug "generating pong"
+        # ['PONG', bool(authentication result), 'reason if authentication failed',
+        #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+        if not auth_result
+          return ['PONG', false, reason_or_salt, '', '']
+        end
+        shared_key = if @node && @node[:shared_key]
+                       @node[:shared_key]
+                     else
+                       @receiver.shared_key
+                     end
+        shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(shared_key).hexdigest
+        [ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
+      end
+      def on_read(data)
+        $log.debug "on_read"
+        if self.established?
+          @receiver.on_message(data)
+        end
+        case @state
+        when :pingpong
+          success, reason_or_salt = self.check_ping(data)
+          if not success
+            send_data generate_pong(false, reason_or_salt)
+            self.shutdown
+            return
+          end
+          send_data generate_pong(true, reason_or_salt)
+          $log.debug "connection established"
+          @state = :established
+        end
+      end
+      def send_data(data)
+        # not nonblock because write data (response) needs sequence
+        @socket.write data.to_msgpack
+      end
+      def start
+        $log.debug "starting server"
+        proto, port, host, ipaddr = @socket.io.addr
+        @node = check_node(host, ipaddr, port, proto)
+        if @node.nil? && (! @receiver.allow_anonymous_source)
+          $log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
+          self.shutdown
+        end
+        @auth_key_salt = generate_salt
+        buf = ''
+        read_length = @receiver.read_length
+        read_interval = @receiver.read_interval
+        socket_interval = @receiver.socket_interval
+        send_data generate_helo()
+        @state = :pingpong
+        loop do
+          begin
+            while @socket.read_nonblock(read_length, buf)
+              if buf == ''
+                sleep read_interval
+                next
+              end
+              @unpacker.feed_each(buf, &method(:on_read))
+              buf = ''
+            end
+          rescue OpenSSL::SSL::SSLError => e
+            # to wait i/o restart
+            sleep socket_interval
+          rescue EOFError => e
+            $log.debug "Connection closed from '#{host}'(#{ipaddr})"
+            break
+          end
+        end
+        self.shutdown
+      rescue => e
+        $log.warn e
+      end
+      def shutdown
+        @state = :closed
+        if @thread == Thread.current
+          @socket.close
+          @thread.kill
+        else
+          if @thread
+            @thread.kill
+            @thread.join
+          end
+          @socket.close
+        end
+      rescue => e
+        $log.debug "#{e.class}:#{e.message}"
+      end
+    end
+  end
+end

data/lib/fluent/plugin/out_secure_forward.rb ADDED Viewed

@@ -0,0 +1,417 @@
+# -*- coding: utf-8 -*-
+require 'fluent/mixin/config_placeholders'
+module Fluent
+  class SecureForwardOutput < ObjectBufferedOutput
+    DEFAULT_SECURE_CONNECT_PORT = 24284
+    Fluent::Plugin.register_output('secure_forward', self)
+    config_param :self_hostname, :string
+    include Fluent::Mixin::ConfigPlaceholders
+    config_param :shared_key, :string
+    # config_param :keepalive, :time, :default => 3600 # 0 means disable keepalive
+    config_param :send_timeout, :time, :default => 60
+    # config_param :hard_timeout, :time, :default => 60
+    # config_param :expire_dns_cache, :time, :default => 0 # 0 means disable cache
+    config_param :allow_self_signed_certificate, :bool, :default => true
+    config_param :ca_file_path, :string, :default => nil
+    config_param :read_length, :size, :default => 512 # 512bytes
+    config_param :read_interval_msec, :integer, :default => 50 # 50ms
+    config_param :socket_interval_msec, :integer, :default => 200 # 200ms
+    config_param :reconnect_interval, :time, :default => 15
+    attr_reader :read_interval, :socket_interval
+    attr_reader :nodes
+    # <server>
+    #   host ipaddr/hostname
+    #   hostlabel labelname # certification common name
+    #   port 24284
+    #   shared_key .... # optional shared key
+    #   username name # if required
+    #   password pass # if required
+    # </server>
+    def initialize
+      super
+      require 'socket'
+      require 'openssl'
+      require 'digest'
+    end
+    def configure(conf)
+      super
+      unless @allow_self_signed_certificate
+        raise Fluent::ConfigError, "not tested yet!"
+      end
+      @read_interval = @read_interval_msec / 1000.0
+      @socket_interval = @socket_interval_msec / 1000.0
+      # read <server> tags and set to nodes
+      @nodes = []
+      conf.elements.each do |element|
+        case element.name
+        when 'server'
+          unless element['host']
+            raise Fluent::ConfigError, "host missing in <server>"
+          end
+          node_shared_key = element['shared_key'] || @shared_key
+          @nodes.push Node.new(self, node_shared_key, element)
+        else
+          raise Fluent::ConfigError, "unknown config tag name #{element.name}"
+        end
+      end
+      if @nodes.size > 1
+        raise Fluent::ConfigError, "Two or more servers are not supported yet."
+      end
+      true
+    end
+    def select_node
+      #TODO: roundrobin? random?
+      @nodes.select(&:established?).first
+    end
+    def start
+      super
+      OpenSSL::Random.seed(File.read("/dev/random", 16))
+      @nodes.each do |node|
+        node.start
+      end
+      @nodewatcher = Thread.new(&method(:node_watcher))
+    end
+    def node_watcher
+      loop do
+        sleep @reconnect_interval
+        $log.debug "in node health watcher"
+        (0...(@nodes.size)).each do |i|
+          $log.debug "node health watcher for #{@nodes[i].host}"
+          if @nodes[i].state != :established
+            $log.info "dead connection found: #{@nodes[i].host}, reconnecting..."
+            node = @nodes[i]
+            @nodes[i] = node.dup
+            @nodes[i].start
+            node.shutdown
+          end
+        end
+      end
+    end
+    def shutdown
+      @nodewatcher.kill
+      @nodewatcher.join
+      @nodes.each do |node|
+        node.shutdown
+      end
+    end
+    def write_objects(tag, es)
+      #TODO: check errors
+      node = select_node
+      unless node
+        raise "no one nodes with valid ssl session"
+      end
+      begin
+        send_data(node, tag, es)
+      rescue IOError => e
+        $log.warn "Failed to send messages to #{node.host}, parging."
+        node.shutdown
+      end
+    end
+    # MessagePack FixArray length = 2
+    FORWARD_HEADER = [0x92].pack('C')
+    # to forward messages
+    def send_data(node, tag, es)
+      ssl = node.sslsession
+      # beginArray(2)
+      ssl.write FORWARD_HEADER
+      # writeRaw(tag)
+      ssl.write tag.to_msgpack
+      # beginRaw(size)
+      sz = es.size
+      #  # FixRaw
+      #  ssl.write [0xa0 | sz].pack('C')
+      #elsif sz < 65536
+      #  # raw 16
+      #  ssl.write [0xda, sz].pack('Cn')
+      #else
+      # raw 32
+      ssl.write [0xdb, sz].pack('CN')
+      #end
+      # writeRawBody(packed_es)
+      es.write_to(ssl)
+    end
+    class Node # Fluent::SecureForwardOutput::Node
+      attr_accessor :host, :port, :hostlabel, :shared_key, :username, :password
+      attr_accessor :authentication, :keepalive
+      attr_accessor :socket, :sslsession, :unpacker, :shared_key_salt, :state
+      def initialize(sender, shared_key, conf)
+        @sender = sender
+        @shared_key = shared_key
+        @host = conf['host']
+        @port = (conf['port'] || DEFAULT_SECURE_CONNECT_PORT).to_i
+        @hostlabel = conf['hostlabel'] || conf['host']
+        @username = conf['username'] || ''
+        @password = conf['password'] || ''
+        @authentication = nil
+        @keepalive = nil
+        @socket = nil
+        @sslsession = nil
+        @unpacker = MessagePack::Unpacker.new
+        @shared_key_salt = generate_salt
+        @state = :helo
+        @thread = nil
+      end
+      def dup
+        Node.new(
+          @sender,
+          @shared_key,
+          {'host' => @host, 'port' => @port, 'hostlabel' => @hostlabel, 'username' => @username, 'password' => @password}
+        )
+      end
+      def start
+        @thread = Thread.new(&method(:connect))
+      end
+      def shutdown
+        $log.debug "shutting down node #{@host}"
+        @state = :closed
+        if @thread == Thread.current
+          @sslsession.close if @sslsession
+          @socket.close if @socket
+          @thread.kill
+        else
+          if @thread
+            @thread.kill
+            @thread.join
+          end
+          @sslsession.close if @sslsession
+          @socket.close if @socket
+        end
+      rescue => e
+        $log.debug "#{e.class}:#{e.message}"
+      end
+      def verify_result_name(code)
+        case code
+        when OpenSSL::X509::V_OK then 'V_OK'
+        when OpenSSL::X509::V_ERR_AKID_SKID_MISMATCH then 'V_ERR_AKID_SKID_MISMATCH'
+        when OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION then 'V_ERR_APPLICATION_VERIFICATION'
+        when OpenSSL::X509::V_ERR_CERT_CHAIN_TOO_LONG then 'V_ERR_CERT_CHAIN_TOO_LONG'
+        when OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED then 'V_ERR_CERT_HAS_EXPIRED'
+        when OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID then 'V_ERR_CERT_NOT_YET_VALID'
+        when OpenSSL::X509::V_ERR_CERT_REJECTED then 'V_ERR_CERT_REJECTED'
+        when OpenSSL::X509::V_ERR_CERT_REVOKED then 'V_ERR_CERT_REVOKED'
+        when OpenSSL::X509::V_ERR_CERT_SIGNATURE_FAILURE then 'V_ERR_CERT_SIGNATURE_FAILURE'
+        when OpenSSL::X509::V_ERR_CERT_UNTRUSTED then 'V_ERR_CERT_UNTRUSTED'
+        when OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED then 'V_ERR_CRL_HAS_EXPIRED'
+        when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID then 'V_ERR_CRL_NOT_YET_VALID'
+        when OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE then 'V_ERR_CRL_SIGNATURE_FAILURE'
+        when OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT then 'V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD'
+        when OpenSSL::X509::V_ERR_INVALID_CA then 'V_ERR_INVALID_CA'
+        when OpenSSL::X509::V_ERR_INVALID_PURPOSE then 'V_ERR_INVALID_PURPOSE'
+        when OpenSSL::X509::V_ERR_KEYUSAGE_NO_CERTSIGN then 'V_ERR_KEYUSAGE_NO_CERTSIGN'
+        when OpenSSL::X509::V_ERR_OUT_OF_MEM then 'V_ERR_OUT_OF_MEM'
+        when OpenSSL::X509::V_ERR_PATH_LENGTH_EXCEEDED then 'V_ERR_PATH_LENGTH_EXCEEDED'
+        when OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN then 'V_ERR_SELF_SIGNED_CERT_IN_CHAIN'
+        when OpenSSL::X509::V_ERR_SUBJECT_ISSUER_MISMATCH then 'V_ERR_SUBJECT_ISSUER_MISMATCH'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE then 'V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL then 'V_ERR_UNABLE_TO_GET_CRL'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE then 'V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE'
+        end
+      end
+      def established?
+        @state == :established
+      end
+      def generate_salt
+        OpenSSL::Random.random_bytes(16)
+      end
+      def check_helo(message)
+        $log.debug "checking helo"
+        # ['HELO', options(hash)]
+        unless message.size == 2 && message[0] == 'HELO'
+          return false
+        end
+        opts = message[1]
+        @authentication = opts['auth']
+        @keepalive = opts['keepalive']
+        true
+      end
+      def generate_ping
+        $log.debug "generating ping"
+        # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
+        #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+        shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
+        ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
+        if @authentication != ''
+          password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
+          ping.push(@username, password_hexdigest)
+        else
+          ping.push('','')
+        end
+        ping
+      end
+      def check_pong(message)
+        $log.debug "checking pong"
+        # ['PONG', bool(authentication result), 'reason if authentication failed',
+        #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+        unless message.size == 5 && message[0] == 'PONG'
+          return false, 'invalid format for PONG message'
+        end
+        pong, auth_result, reason, hostname, shared_key_hexdigest = message
+        unless auth_result
+          return false, 'authentication failed: ' + reason
+        end
+        clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
+        unless shared_key_hexdigest == clientside
+          return false, 'shared key mismatch'
+        end
+        return true, nil
+      end
+      def send_data(data)
+        @sslsession.write data.to_msgpack
+      end
+      def on_read(data)
+        $log.debug "on_read"
+        if self.established?
+          #TODO: ACK
+          $log.warn "unknown packets arrived..."
+          return
+        end
+        case @state
+        when :helo
+          # TODO: log debug
+          unless check_helo(data)
+            $log.warn "received invalid helo message from #{@host}"
+            self.shutdown
+            return
+          end
+          send_data generate_ping()
+          @state = :pingpong
+        when :pingpong
+          success, reason = check_pong(data)
+          unless success
+            $log.warn "connection refused to #{@host}:" + reason
+            self.shutdown
+            return
+          end
+          $log.info "connection established to #{@host}"
+          @state = :established
+        end
+      end
+      def connect
+        $log.debug "starting client"
+        sock = TCPSocket.new(@host, @port)
+        opt = [1, @sender.send_timeout.to_i].pack('I!I!')  # { int l_onoff; int l_linger; }
+        sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_LINGER, opt)
+        opt = [@sender.send_timeout.to_i, 0].pack('L!L!')  # struct timeval
+        sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, opt)
+        # TODO: SSLContext constructer parameter (SSL/TLS protocol version)
+        context = OpenSSL::SSL::SSLContext.new
+        context.ca_file = @cert_file_path
+        # TODO: context.ciphers= (SSL Shared key chiper protocols)
+        sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
+        sslsession.connect
+        begin
+          unless @sender.allow_self_signed_certificate
+            $log.debug sslsession.peer_cert.subject.to_s
+            sslsession.post_connection_check(@hostlabel)
+            verify = sslsession.verify_result
+            if verify != OpenSSL::X509::V_OK
+              err_name = verify_result_name(verify)
+              $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel} (but not raised, why?)"
+              $log.warn "verify_result: #{err_name}"
+              raise RuntimeError, "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
+            end
+          end
+        rescue OpenSSL::SSL::SSLError => e
+          $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
+          self.shutdown
+          raise
+        end
+        $log.debug "ssl sessison connected"
+        @socket = sock
+        @sslsession = sslsession
+        buf = ''
+        read_length = @sender.read_length
+        read_interval = @sender.read_interval
+        socket_interval = @sender.socket_interval
+        loop do
+          begin
+            while @sslsession.read_nonblock(read_length, buf)
+              if buf == ''
+                sleep read_interval
+                next
+              end
+              @unpacker.feed_each(buf, &method(:on_read))
+              buf = ''
+            end
+          rescue OpenSSL::SSL::SSLError
+            # to wait i/o restart
+            sleep socket_interval
+          rescue EOFError
+            $log.warn "disconnected from #{@host}"
+            break
+          end
+        end
+        self.shutdown
+      end
+    end
+  end
+end