RubyGems - fluent-plugin-secure-forward - Versions diffs - 0.0.1 - Mend

fluent-plugin-secure-forward 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

data/.gitignore +24 -0
data/Gemfile +4 -0
data/LICENSE.txt +13 -0
data/README.md +238 -0
data/Rakefile +2 -0
data/example/auth_client.conf +19 -0
data/example/auth_server.conf +30 -0
data/example/cert_client.conf +22 -0
data/example/cert_server.conf +34 -0
data/example/certs/cert.pem +18 -0
data/example/certs/key.pem +15 -0
data/example/client.conf +13 -0
data/example/server.conf +10 -0
data/fluent-plugin-secure-forward.gemspec +20 -0
data/lib/fluent/plugin/in_secure_forward.rb +402 -0
data/lib/fluent/plugin/out_secure_forward.rb +417 -0
data/test/plugin/test_in_secure_forward.rb +0 -0
data/test/plugin/test_out_secure_forward.rb +0 -0
metadata +129 -0

data/example/server.conf ADDED Viewed

@@ -0,0 +1,10 @@
+<source>
+  type secure_forward
+  self_hostname server
+  shared_key hogeposxxx0
+  cert_auto_generate yes
+</source>
+<match test.**>
+  type stdout
+</match>

data/fluent-plugin-secure-forward.gemspec ADDED Viewed

@@ -0,0 +1,20 @@
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |gem|
+  gem.name          = "fluent-plugin-secure-forward"
+  gem.version       = "0.0.1"
+  gem.authors       = ["TAGOMORI Satoshi"]
+  gem.email         = ["tagomoris@gmail.com"]
+  gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}
+  gem.description   = %q{This version is HIGHLY EXPERIMENTAL. DON'T USE IN PRODUCTION}
+  gem.homepage      = "https://github.com/tagomoris/fluent-plugin-secure-forward"
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.add_development_dependency "fluentd"
+  gem.add_development_dependency "fluent-mixin-config-placeholders"
+  gem.add_runtime_dependency "fluentd"
+  gem.add_runtime_dependency "fluent-mixin-config-placeholders"
+end

data/lib/fluent/plugin/in_secure_forward.rb ADDED Viewed

@@ -0,0 +1,402 @@
+# -*- coding: utf-8 -*-
+require 'fluent/mixin/config_placeholders'
+module Fluent
+  class SecureForwardInput < Input
+    DEFAULT_SECURE_LISTEN_PORT = 24284
+    Fluent::Plugin.register_input('secure_forward', self)
+    config_param :self_hostname, :string
+    include Fluent::Mixin::ConfigPlaceholders
+    config_param :shared_key, :string
+    config_param :bind, :string, :default => '0.0.0.0'
+    config_param :port, :integer, :default => DEFAULT_SECURE_LISTEN_PORT
+    config_param :allow_keepalive, :bool, :default => true #TODO: implement
+    config_param :allow_anonymous_source, :bool, :default => true
+    config_param :authentication, :bool, :default => false
+    ## meaningless for security...? not implemented yet
+    # config_param :dns_reverse_lookup_check, :bool, :default => false
+    config_param :cert_auto_generate, :bool, :default => false
+    config_param :generate_private_key_length, :integer, :default => 2048
+    config_param :generate_cert_country, :string, :default => 'US'
+    config_param :generate_cert_state, :string, :default => 'CA'
+    config_param :generate_cert_locality, :string, :default => 'Mountain View'
+    config_param :generate_cert_common_name, :string, :default => nil
+    config_param :cert_file_path, :string, :default => nil
+    config_param :private_key_file, :string, :default => nil
+    config_param :private_key_passphrase, :string, :default => nil
+    config_param :read_length, :size, :default => 8*1024*1024 # 8MB
+    config_param :read_interval_msec, :integer, :default => 50 # 50ms
+    config_param :socket_interval_msec, :integer, :default => 200 # 200ms
+    attr_reader :read_interval, :socket_interval
+    attr_reader :users # list of (username, password) by <user> tag
+    # <user>
+    #   username ....
+    #   password ....
+    # </user>
+    attr_reader :nodes # list of hosts, allowed to connect <server> tag (it includes source ip, shared_key(optional))
+    # <client>
+    #   host ipaddr/hostname
+    #   shared_key .... # optional shared key
+    #   users username,list,of,allowed
+    # </client>
+    attr_reader :sessions # node/socket/thread list which has sslsocket instance keepaliving to client
+    def initialize
+      super
+      require 'resolv'
+      require 'socket'
+      require 'openssl'
+      require 'digest'
+    end
+    def configure(conf)
+      super
+      unless @cert_auto_generate || @cert_file_path
+        raise Fluent::ConfigError, "One of 'cert_auto_generate' or 'cert_file_path' must be specified"
+      end
+      @read_interval = @read_interval_msec / 1000.0
+      @socket_interval = @socket_interval_msec / 1000.0
+      @users = []
+      @nodes = []
+      conf.elements.each do |element|
+        case element.name
+        when 'user'
+          unless element['username'] && element['password']
+            raise Fluent::ConfigError, "username/password pair missing in <user>"
+          end
+          @users.push({
+              username: element['username'],
+              password: element['password']
+            })
+        when 'client'
+          unless element['host']
+            raise Fluent::ConfigError, "host missing in <client>"
+          end
+          @nodes.push({
+              host: element['host'],
+              shared_key: (element['shared_key'] || @shared_key),
+              users: (element['users'] ? element['users'].split(',') : nil),
+            })
+        else
+          raise Fluent::ConfigError, "unknown config tag name"
+        end
+      end
+      @generate_cert_common_name ||= @self_hostname
+      self.certificate
+      true
+    end
+    def start
+      super
+      OpenSSL::Random.seed(File.read("/dev/random", 16))
+      @sessions = []
+      @sock = nil
+      @listener = Thread.new(&method(:run))
+    end
+    def shutdown
+      @listener.kill
+      @listener.join
+      @sessions.each{ |s| s.shutdown }
+      @sock.close
+    end
+    def select_authenticate_users(node, username)
+      if node.nil? || node[:users].nil?
+        @users.select{|u| u[:username] == username}
+      else
+        @users.select{|u| node[:users].include?(u[:username]) && u[:username] == username}
+      end
+    end
+    def certificate
+      return @cert, @key if @cert && @key
+      if @cert_auto_generate
+        key = OpenSSL::PKey::RSA.generate(@generate_private_key_length)
+        digest = OpenSSL::Digest::SHA1.new
+        issuer = subject = OpenSSL::X509::Name.new
+        subject.add_entry('C', @generate_cert_country)
+        subject.add_entry('ST', @generate_cert_state)
+        subject.add_entry('L', @generate_cert_locality)
+        subject.add_entry('CN', @generate_cert_common_name)
+        cer = OpenSSL::X509::Certificate.new
+        cer.not_before = Time.at(0)
+        cer.not_after = Time.at(0)
+        cer.public_key = key
+        cer.serial = 1
+        cer.issuer = issuer
+        cer.subject  = subject
+        cer.sign(key, digest)
+        @cert = cer
+        @key = key
+        return @cert, @key
+      end
+      @cert = OpenSSL::X509::Certificate.new(File.read(@cert_file_path))
+      @key = OpenSSL::PKey::RSA.new(File.read(@private_key_file), @private_key_passphrase)
+    end
+    def run # sslsocket server thread
+      cert, key = self.certificate
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = cert
+      ctx.key = key
+      server = TCPServer.new(@bind, @port)
+      @sock = OpenSSL::SSL::SSLServer.new(server, ctx)
+      loop do
+        while socket = @sock.accept
+          @sessions.push Session.new(self, socket)
+        end
+      end
+    end
+    def on_message(msg)
+      # NOTE: copy&paste from Fluent::ForwardInput#on_message(msg)
+      # TODO: format error
+      tag = msg[0].to_s
+      entries = msg[1]
+      if entries.class == String
+        # PackedForward
+        es = MessagePackEventStream.new(entries, @cached_unpacker)
+        Fluent::Engine.emit_stream(tag, es)
+      elsif entries.class == Array
+        # Forward
+        es = Fluent::MultiEventStream.new
+        entries.each {|e|
+          time = e[0].to_i
+          time = (now ||= Fluent::Engine.now) if time == 0
+          record = e[1]
+          es.add(time, record)
+        }
+        Fluent::Engine.emit_stream(tag, es)
+      else
+        # Message
+        time = msg[1]
+        time = Fluent::Engine.now if time == 0
+        record = msg[2]
+        Fluent::Engine.emit(tag, time, record)
+      end
+    end
+    class Session # Fluent::SecureForwardInput::Session
+      attr_accessor :receiver
+      attr_accessor :state, :thread, :node, :socket, :unpacker, :auth_salt
+      def initialize(receiver, socket)
+        @receiver = receiver
+        @state = :helo
+        @socket = socket
+        @socket.sync = true
+        @ipaddress = nil
+        @node = nil
+        @unpacker = MessagePack::Unpacker.new
+        @thread = Thread.new(&method(:start))
+      end
+      def established?
+        @state == :established
+      end
+      def generate_salt
+        OpenSSL::Random.random_bytes(16)
+      end
+      def check_node(hostname, ipaddress, port, proto)
+        node = nil
+        family = Socket.const_get(proto)
+        @receiver.nodes.each do |n|
+          proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(n[:host], port, family).first
+          if ipaddr == ipaddress
+            node = n
+            break
+          end
+        end
+        node
+      end
+      ## not implemented yet
+      # def check_hostname_reverse_lookup(ipaddress)
+      #   rev_name = Resolv.getname(ipaddress)
+      #   proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(rev_name, DUMMY_PORT)
+      #   unless ipaddr == ipaddress
+      #     return false
+      #   end
+      #   true
+      # end
+      def generate_helo
+        $log.debug "generating helo"
+        # ['HELO', options(hash)]
+        [ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
+      end
+      def check_ping(message)
+        $log.debug "checking ping"
+        # ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
+        #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+        unless message.size == 6 && message[0] == 'PING'
+          return false, 'invalid ping message'
+        end
+        ping, hostname, shared_key_salt, shared_key_hexdigest, username, password_digest = message
+        shared_key = if @node && @node[:shared_key]
+                       @node[:shared_key]
+                     else
+                       @receiver.shared_key
+                     end
+        serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
+        if shared_key_hexdigest != serverside
+          $log.warn "Shared key mismatch from '#{hostname}'"
+          return false, 'shared_key mismatch'
+        end
+        if @receiver.authentication
+          users = @receiver.select_authenticate_users(@node, username)
+          success = false
+          users.each do |user|
+            passhash = Digest::SHA512.new.update(@auth_key_salt).update(username).update(user[:password]).hexdigest
+            success ||= (passhash == password_digest)
+          end
+          unless success
+            $log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
+            return false, 'username/password mismatch'
+          end
+        end
+        return true, shared_key_salt
+      end
+      def generate_pong(auth_result, reason_or_salt)
+        $log.debug "generating pong"
+        # ['PONG', bool(authentication result), 'reason if authentication failed',
+        #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+        if not auth_result
+          return ['PONG', false, reason_or_salt, '', '']
+        end
+        shared_key = if @node && @node[:shared_key]
+                       @node[:shared_key]
+                     else
+                       @receiver.shared_key
+                     end
+        shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(shared_key).hexdigest
+        [ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
+      end
+      def on_read(data)
+        $log.debug "on_read"
+        if self.established?
+          @receiver.on_message(data)
+        end
+        case @state
+        when :pingpong
+          success, reason_or_salt = self.check_ping(data)
+          if not success
+            send_data generate_pong(false, reason_or_salt)
+            self.shutdown
+            return
+          end
+          send_data generate_pong(true, reason_or_salt)
+          $log.debug "connection established"
+          @state = :established
+        end
+      end
+      def send_data(data)
+        # not nonblock because write data (response) needs sequence
+        @socket.write data.to_msgpack
+      end
+      def start
+        $log.debug "starting server"
+        proto, port, host, ipaddr = @socket.io.addr
+        @node = check_node(host, ipaddr, port, proto)
+        if @node.nil? && (! @receiver.allow_anonymous_source)
+          $log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
+          self.shutdown
+        end
+        @auth_key_salt = generate_salt
+        buf = ''
+        read_length = @receiver.read_length
+        read_interval = @receiver.read_interval
+        socket_interval = @receiver.socket_interval
+        send_data generate_helo()
+        @state = :pingpong
+        loop do
+          begin
+            while @socket.read_nonblock(read_length, buf)
+              if buf == ''
+                sleep read_interval
+                next
+              end
+              @unpacker.feed_each(buf, &method(:on_read))
+              buf = ''
+            end
+          rescue OpenSSL::SSL::SSLError => e
+            # to wait i/o restart
+            sleep socket_interval
+          rescue EOFError => e
+            $log.debug "Connection closed from '#{host}'(#{ipaddr})"
+            break
+          end
+        end
+        self.shutdown
+      rescue => e
+        $log.warn e
+      end
+      def shutdown
+        @state = :closed
+        if @thread == Thread.current
+          @socket.close
+          @thread.kill
+        else
+          if @thread
+            @thread.kill
+            @thread.join
+          end
+          @socket.close
+        end
+      rescue => e
+        $log.debug "#{e.class}:#{e.message}"
+      end
+    end
+  end
+end

data/lib/fluent/plugin/out_secure_forward.rb ADDED Viewed

@@ -0,0 +1,417 @@
+# -*- coding: utf-8 -*-
+require 'fluent/mixin/config_placeholders'
+module Fluent
+  class SecureForwardOutput < ObjectBufferedOutput
+    DEFAULT_SECURE_CONNECT_PORT = 24284
+    Fluent::Plugin.register_output('secure_forward', self)
+    config_param :self_hostname, :string
+    include Fluent::Mixin::ConfigPlaceholders
+    config_param :shared_key, :string
+    # config_param :keepalive, :time, :default => 3600 # 0 means disable keepalive
+    config_param :send_timeout, :time, :default => 60
+    # config_param :hard_timeout, :time, :default => 60
+    # config_param :expire_dns_cache, :time, :default => 0 # 0 means disable cache
+    config_param :allow_self_signed_certificate, :bool, :default => true
+    config_param :ca_file_path, :string, :default => nil
+    config_param :read_length, :size, :default => 512 # 512bytes
+    config_param :read_interval_msec, :integer, :default => 50 # 50ms
+    config_param :socket_interval_msec, :integer, :default => 200 # 200ms
+    config_param :reconnect_interval, :time, :default => 15
+    attr_reader :read_interval, :socket_interval
+    attr_reader :nodes
+    # <server>
+    #   host ipaddr/hostname
+    #   hostlabel labelname # certification common name
+    #   port 24284
+    #   shared_key .... # optional shared key
+    #   username name # if required
+    #   password pass # if required
+    # </server>
+    def initialize
+      super
+      require 'socket'
+      require 'openssl'
+      require 'digest'
+    end
+    def configure(conf)
+      super
+      unless @allow_self_signed_certificate
+        raise Fluent::ConfigError, "not tested yet!"
+      end
+      @read_interval = @read_interval_msec / 1000.0
+      @socket_interval = @socket_interval_msec / 1000.0
+      # read <server> tags and set to nodes
+      @nodes = []
+      conf.elements.each do |element|
+        case element.name
+        when 'server'
+          unless element['host']
+            raise Fluent::ConfigError, "host missing in <server>"
+          end
+          node_shared_key = element['shared_key'] || @shared_key
+          @nodes.push Node.new(self, node_shared_key, element)
+        else
+          raise Fluent::ConfigError, "unknown config tag name #{element.name}"
+        end
+      end
+      if @nodes.size > 1
+        raise Fluent::ConfigError, "Two or more servers are not supported yet."
+      end
+      true
+    end
+    def select_node
+      #TODO: roundrobin? random?
+      @nodes.select(&:established?).first
+    end
+    def start
+      super
+      OpenSSL::Random.seed(File.read("/dev/random", 16))
+      @nodes.each do |node|
+        node.start
+      end
+      @nodewatcher = Thread.new(&method(:node_watcher))
+    end
+    def node_watcher
+      loop do
+        sleep @reconnect_interval
+        $log.debug "in node health watcher"
+        (0...(@nodes.size)).each do |i|
+          $log.debug "node health watcher for #{@nodes[i].host}"
+          if @nodes[i].state != :established
+            $log.info "dead connection found: #{@nodes[i].host}, reconnecting..."
+            node = @nodes[i]
+            @nodes[i] = node.dup
+            @nodes[i].start
+            node.shutdown
+          end
+        end
+      end
+    end
+    def shutdown
+      @nodewatcher.kill
+      @nodewatcher.join
+      @nodes.each do |node|
+        node.shutdown
+      end
+    end
+    def write_objects(tag, es)
+      #TODO: check errors
+      node = select_node
+      unless node
+        raise "no one nodes with valid ssl session"
+      end
+      begin
+        send_data(node, tag, es)
+      rescue IOError => e
+        $log.warn "Failed to send messages to #{node.host}, parging."
+        node.shutdown
+      end
+    end
+    # MessagePack FixArray length = 2
+    FORWARD_HEADER = [0x92].pack('C')
+    # to forward messages
+    def send_data(node, tag, es)
+      ssl = node.sslsession
+      # beginArray(2)
+      ssl.write FORWARD_HEADER
+      # writeRaw(tag)
+      ssl.write tag.to_msgpack
+      # beginRaw(size)
+      sz = es.size
+      #  # FixRaw
+      #  ssl.write [0xa0 | sz].pack('C')
+      #elsif sz < 65536
+      #  # raw 16
+      #  ssl.write [0xda, sz].pack('Cn')
+      #else
+      # raw 32
+      ssl.write [0xdb, sz].pack('CN')
+      #end
+      # writeRawBody(packed_es)
+      es.write_to(ssl)
+    end
+    class Node # Fluent::SecureForwardOutput::Node
+      attr_accessor :host, :port, :hostlabel, :shared_key, :username, :password
+      attr_accessor :authentication, :keepalive
+      attr_accessor :socket, :sslsession, :unpacker, :shared_key_salt, :state
+      def initialize(sender, shared_key, conf)
+        @sender = sender
+        @shared_key = shared_key
+        @host = conf['host']
+        @port = (conf['port'] || DEFAULT_SECURE_CONNECT_PORT).to_i
+        @hostlabel = conf['hostlabel'] || conf['host']
+        @username = conf['username'] || ''
+        @password = conf['password'] || ''
+        @authentication = nil
+        @keepalive = nil
+        @socket = nil
+        @sslsession = nil
+        @unpacker = MessagePack::Unpacker.new
+        @shared_key_salt = generate_salt
+        @state = :helo
+        @thread = nil
+      end
+      def dup
+        Node.new(
+          @sender,
+          @shared_key,
+          {'host' => @host, 'port' => @port, 'hostlabel' => @hostlabel, 'username' => @username, 'password' => @password}
+        )
+      end
+      def start
+        @thread = Thread.new(&method(:connect))
+      end
+      def shutdown
+        $log.debug "shutting down node #{@host}"
+        @state = :closed
+        if @thread == Thread.current
+          @sslsession.close if @sslsession
+          @socket.close if @socket
+          @thread.kill
+        else
+          if @thread
+            @thread.kill
+            @thread.join
+          end
+          @sslsession.close if @sslsession
+          @socket.close if @socket
+        end
+      rescue => e
+        $log.debug "#{e.class}:#{e.message}"
+      end
+      def verify_result_name(code)
+        case code
+        when OpenSSL::X509::V_OK then 'V_OK'
+        when OpenSSL::X509::V_ERR_AKID_SKID_MISMATCH then 'V_ERR_AKID_SKID_MISMATCH'
+        when OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION then 'V_ERR_APPLICATION_VERIFICATION'
+        when OpenSSL::X509::V_ERR_CERT_CHAIN_TOO_LONG then 'V_ERR_CERT_CHAIN_TOO_LONG'
+        when OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED then 'V_ERR_CERT_HAS_EXPIRED'
+        when OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID then 'V_ERR_CERT_NOT_YET_VALID'
+        when OpenSSL::X509::V_ERR_CERT_REJECTED then 'V_ERR_CERT_REJECTED'
+        when OpenSSL::X509::V_ERR_CERT_REVOKED then 'V_ERR_CERT_REVOKED'
+        when OpenSSL::X509::V_ERR_CERT_SIGNATURE_FAILURE then 'V_ERR_CERT_SIGNATURE_FAILURE'
+        when OpenSSL::X509::V_ERR_CERT_UNTRUSTED then 'V_ERR_CERT_UNTRUSTED'
+        when OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED then 'V_ERR_CRL_HAS_EXPIRED'
+        when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID then 'V_ERR_CRL_NOT_YET_VALID'
+        when OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE then 'V_ERR_CRL_SIGNATURE_FAILURE'
+        when OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT then 'V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD'
+        when OpenSSL::X509::V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD'
+        when OpenSSL::X509::V_ERR_INVALID_CA then 'V_ERR_INVALID_CA'
+        when OpenSSL::X509::V_ERR_INVALID_PURPOSE then 'V_ERR_INVALID_PURPOSE'
+        when OpenSSL::X509::V_ERR_KEYUSAGE_NO_CERTSIGN then 'V_ERR_KEYUSAGE_NO_CERTSIGN'
+        when OpenSSL::X509::V_ERR_OUT_OF_MEM then 'V_ERR_OUT_OF_MEM'
+        when OpenSSL::X509::V_ERR_PATH_LENGTH_EXCEEDED then 'V_ERR_PATH_LENGTH_EXCEEDED'
+        when OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN then 'V_ERR_SELF_SIGNED_CERT_IN_CHAIN'
+        when OpenSSL::X509::V_ERR_SUBJECT_ISSUER_MISMATCH then 'V_ERR_SUBJECT_ISSUER_MISMATCH'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE then 'V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL then 'V_ERR_UNABLE_TO_GET_CRL'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+        when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE then 'V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE'
+        end
+      end
+      def established?
+        @state == :established
+      end
+      def generate_salt
+        OpenSSL::Random.random_bytes(16)
+      end
+      def check_helo(message)
+        $log.debug "checking helo"
+        # ['HELO', options(hash)]
+        unless message.size == 2 && message[0] == 'HELO'
+          return false
+        end
+        opts = message[1]
+        @authentication = opts['auth']
+        @keepalive = opts['keepalive']
+        true
+      end
+      def generate_ping
+        $log.debug "generating ping"
+        # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
+        #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+        shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
+        ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
+        if @authentication != ''
+          password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
+          ping.push(@username, password_hexdigest)
+        else
+          ping.push('','')
+        end
+        ping
+      end
+      def check_pong(message)
+        $log.debug "checking pong"
+        # ['PONG', bool(authentication result), 'reason if authentication failed',
+        #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+        unless message.size == 5 && message[0] == 'PONG'
+          return false, 'invalid format for PONG message'
+        end
+        pong, auth_result, reason, hostname, shared_key_hexdigest = message
+        unless auth_result
+          return false, 'authentication failed: ' + reason
+        end
+        clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
+        unless shared_key_hexdigest == clientside
+          return false, 'shared key mismatch'
+        end
+        return true, nil
+      end
+      def send_data(data)
+        @sslsession.write data.to_msgpack
+      end
+      def on_read(data)
+        $log.debug "on_read"
+        if self.established?
+          #TODO: ACK
+          $log.warn "unknown packets arrived..."
+          return
+        end
+        case @state
+        when :helo
+          # TODO: log debug
+          unless check_helo(data)
+            $log.warn "received invalid helo message from #{@host}"
+            self.shutdown
+            return
+          end
+          send_data generate_ping()
+          @state = :pingpong
+        when :pingpong
+          success, reason = check_pong(data)
+          unless success
+            $log.warn "connection refused to #{@host}:" + reason
+            self.shutdown
+            return
+          end
+          $log.info "connection established to #{@host}"
+          @state = :established
+        end
+      end
+      def connect
+        $log.debug "starting client"
+        sock = TCPSocket.new(@host, @port)
+        opt = [1, @sender.send_timeout.to_i].pack('I!I!')  # { int l_onoff; int l_linger; }
+        sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_LINGER, opt)
+        opt = [@sender.send_timeout.to_i, 0].pack('L!L!')  # struct timeval
+        sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, opt)
+        # TODO: SSLContext constructer parameter (SSL/TLS protocol version)
+        context = OpenSSL::SSL::SSLContext.new
+        context.ca_file = @cert_file_path
+        # TODO: context.ciphers= (SSL Shared key chiper protocols)
+        sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
+        sslsession.connect
+        begin
+          unless @sender.allow_self_signed_certificate
+            $log.debug sslsession.peer_cert.subject.to_s
+            sslsession.post_connection_check(@hostlabel)
+            verify = sslsession.verify_result
+            if verify != OpenSSL::X509::V_OK
+              err_name = verify_result_name(verify)
+              $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel} (but not raised, why?)"
+              $log.warn "verify_result: #{err_name}"
+              raise RuntimeError, "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
+            end
+          end
+        rescue OpenSSL::SSL::SSLError => e
+          $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
+          self.shutdown
+          raise
+        end
+        $log.debug "ssl sessison connected"
+        @socket = sock
+        @sslsession = sslsession
+        buf = ''
+        read_length = @sender.read_length
+        read_interval = @sender.read_interval
+        socket_interval = @sender.socket_interval
+        loop do
+          begin
+            while @sslsession.read_nonblock(read_length, buf)
+              if buf == ''
+                sleep read_interval
+                next
+              end
+              @unpacker.feed_each(buf, &method(:on_read))
+              buf = ''
+            end
+          rescue OpenSSL::SSL::SSLError
+            # to wait i/o restart
+            sleep socket_interval
+          rescue EOFError
+            $log.warn "disconnected from #{@host}"
+            break
+          end
+        end
+        self.shutdown
+      end
+    end
+  end
+end