[Toybox] [RFC] ktls is in 4.13.
Rob Landley
rob at landley.net
Tue Sep 5 18:33:08 PDT 2017
On 09/05/2017 04:52 PM, Robert Thompson wrote:
> When you get back to this, probably the two most useful places for
> seeing how much existing tls code is required for ktls would be
>
> https://github.com/ktls/af_ktls-tool/blob/master/client.c
> https://github.com/ktls/af_ktls-tool/blob/master/xlibgnutls.c
>
> The af_ktls-tool contains a bunch of testing noise, but also contains a
> test client. The test client (starting around client.c line 1096) calls
> the gnutls-based initiator (in xlibgnutls) then uses the ktls feature
> with the gnutls-initiated session info.
>
> It really looks like using ktls will depend on a full openssl or gnutls
> library.
Yeah, that's what I was hoping to avoid.
Piping data through a separate encryption executable ala stunnel isn't a
_bad_ solution (same as tar piping through gzip), I just don't want an
if/else staircase for stunnel, openssl, bearssl, and whatever else is
out there's different command line syntaxes. :P
> Also, at the moment, ktls only implements one crypto suite (AES
> GCM), so a client using ktls can't interoperate with all webservers.
> (on the server side it matters less because the server-operator can
> choose only to use AES GCM, and all clients will have to support
> that).
All clients have to support that, but all servers don't?
Makes perfect sense for servers are less up-to-date than clients, it's
not like servers have the same exposure to security vulnerabilities as
clients...
Grumble grumble,
Rob
More information about the Toybox
mailing list