[Toybox] Apache TLS implementation?

Isaac Dunham ibid.ag at gmail.com
Mon Jul 20 08:53:00 PDT 2015 

On Sun, Jul 19, 2015 at 11:47:40PM -0500, Rob Landley wrote:
> 
> 
> On 07/19/2015 07:13 PM, Isaac Dunham wrote:
> > On Sun, Jul 19, 2015 at 06:52:36PM -0500, Rob Landley wrote:
> >> I haven't had a chance to follow up on Isaac's wget yet, but has anybody
> >> poked at https://lwn.net/Articles/649764/ yet and tried to get _that_ to
> >> do a stunnel-like thing (ala the openssl command line he mentioned)?
> >>
> >> Just wondering. Putting together release notes for 0.6.0 and finding all
> >> sorts of loose ends, as you do. :)
> > 
> > Repo: github.com/awslabs/s2n
> > I see that "s2n/echo.c" is not quite what we want; it emits a little verbiage
> > about the connection to stdout.
> > But s2n/s2nc.c seems to be roughly what we want, except for the little detail
> > of how it needs URLs passed (host port, not host:port).
> > HOWEVER, be warned that this is not a full TLS stack, but a TLS implementation
> > built on top of OpenSSL's crypto implementation.
> 
> Sigh. Oh well.
> 
> (I don't suppose there's an obvious way to glue it to dropbear?)
if ["$it" == s2n]
	Not that I'm aware of.
elif ["$it" == "$wget_ssl_cmd" ]
	I wouldn't know.

Since you mention dropbear...I noticed work on an Alpine package for tinyssh;
apparently that's actually got useable code, though they don't recommend
any use other than testing yet.
 
> > FWIW, axtls includes an "axssl" command that's compatible with the commonly
> > used portion of openssl's syntax.
> 
> Good to know, but axtls.sourceforge.net went away with the rest of
> sourceforge when they had their "hard drive crash" last week.

Crud. I hadn't heard of that.
There is a mirror somewhere on github, and I've done some small patches based
off that...
Ah, there:  github.com/SuperHouse/axtls
I need to push mine to github sometime.
Upstream wasn't very active; I think that repo has the last commits from it.

Issues to beware of:
-axTLS uses RC4 a lot. (Yes, the cipher that was just removed from SSL.)
 I've got a patch I sent them not long ago that will allow disabling
 RC4 as far as network protocol negotiation.
-make sure to use /dev/urandom; the fallback PRNG is home-brewed and RC4
 based.

It's kconfig-based, which I find nice...and they managed to make that
fairly simple, rather than copying the complexity that Busybox has.

HTH,
Isaac 

 1437407580.0

More information about the Toybox mailing list