[Toybox] Apache TLS implementation?
Rob Landley
rob at landley.net
Mon Jul 20 20:52:48 PDT 2015
On 07/20/2015 10:53 AM, Isaac Dunham wrote:
> On Sun, Jul 19, 2015 at 11:47:40PM -0500, Rob Landley wrote:
>>> Repo: github.com/awslabs/s2n
>>> I see that "s2n/echo.c" is not quite what we want; it emits a little verbiage
>>> about the connection to stdout.
>>> But s2n/s2nc.c seems to be roughly what we want, except for the little detail
>>> of how it needs URLs passed (host port, not host:port).
>>> HOWEVER, be warned that this is not a full TLS stack, but a TLS implementation
>>> built on top of OpenSSL's crypto implementation.
>>
>> Sigh. Oh well.
>>
>> (I don't suppose there's an obvious way to glue it to dropbear?)
> if ["$it" == s2n]
> Not that I'm aware of.
> elif ["$it" == "$wget_ssl_cmd" ]
> I wouldn't know.
Getting an stunnel variant out of dropbear, since it already has the
basic crypto plumbing.
Various people (including me) have asked about this over the past decade:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2005q4/000295.html
And the answer was more or less "patches welcome". I dug into it myself
but reading the TLS RFC was quite a slog and I find the libtommath and
libtomcrypt code borderline unintelligible. Never got enough traction to
move it up the todo list...
> Since you mention dropbear...I noticed work on an Alpine package for tinyssh;
> apparently that's actually got useable code, though they don't recommend
> any use other than testing yet.
Last time we looked at that it _really_ wasn't ripe:
http://www.landley.net/notes-2014.html#31-03-2014
https://twitter.com/gnomon/status/444978247286026241
http://lists.landley.net/pipermail/toybox-landley.net/2014-June/003468.html
Dropbear's good enough I haven't looked very hard for a replacement, the
problem was always it didn't do https...
>>> FWIW, axtls includes an "axssl" command that's compatible with the commonly
>>> used portion of openssl's syntax.
>>
>> Good to know, but axtls.sourceforge.net went away with the rest of
>> sourceforge when they had their "hard drive crash" last week.
>
> Crud. I hadn't heard of that.
http://www.techrepublic.com/article/its-time-to-go-away-sourceforge/
http://www.theregister.co.uk/2015/07/17/souceforge_titsup/
http://www.theregister.co.uk/2015/07/19/sourceforge_storage_fault/
Total coincidence, I'm sure.
> There is a mirror somewhere on github, and I've done some small patches based
> off that...
> Ah, there: github.com/SuperHouse/axtls
> I need to push mine to github sometime.
> Upstream wasn't very active; I think that repo has the last commits from it.
A mirror of the webpage would be nice. (And was there a mailing list?)
I was curious what the license of this package was, so I googled and
found a different tls mirror last email, and the git repo doesn't have
an obvious license label (possibly I just don't know how to navigate
github's web stuff). The README says "See www/index.html for the README,
CHANGELOG, LICENSE and other notes." The www/index.html file is 7000
lines of javascript (a copy of "tiddlywiki") with no actual content that
I can spot.
Further googling found http://www.freshports.org/security/axTLS/ which
claims it's 3BSD, but I can't say my impression of the project was "easy
to use, well supported by an exisiting community"...
> Issues to beware of:
> -axTLS uses RC4 a lot. (Yes, the cipher that was just removed from SSL.)
> I've got a patch I sent them not long ago that will allow disabling
> RC4 as far as network protocol negotiation.
> -make sure to use /dev/urandom; the fallback PRNG is home-brewed and RC4
> based.
>
> It's kconfig-based, which I find nice...and they managed to make that
> fairly simple, rather than copying the complexity that Busybox has.
I really need to write my kconfig-compatible menuconfig replacement
implementation. Alas, it's one of over a dozen "I really need to do X"
things on the todo list...
> HTH,
> Isaac
Rob
1437450768.0
More information about the Toybox
mailing list