<div dir="auto"><div>I suspect having basic ssl_init, ssl_read, ssl_write, ssl_close would be useful for quite a few use cases. I had thought about that earlier in the week but it seemed like something to consider when implementing a second use case.</div><div dir="auto"><br></div><div dir="auto">Denny's stuff is interesting, I do prefer Thomas Pornins BearSSL implementation but it's an Apples / Oranges comparison. Constant time security focused and small vs Denny's make it as small as possible, reducing security and validation along the way. But Thomas's development on BearSSL has slowed to a crawl since he started developing new crypto routines and looking at compression. Even so, BearSSL is still the only TLS implementation that I know of (other than maybe WolfSSL) which has withstood the various recent timing attacks. </div><div dir="auto"><br></div><div dir="auto">Looking forward to your cleanup. I always learn something when you do so.</div><div dir="auto"><br></div><div dir="auto">- Eric</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, 29 Oct 2021, 6:30 pm Rob Landley, <<a href="mailto:rob@landley.net">rob@landley.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 10/29/21 7:03 AM, Eric Molitor wrote:<br>
> Attached is a reworked patch which adds OpenSSL and BoringSSL support to wget.<br>
> It avoids the use of OpenSSL's IO abstractions and uses default settings which<br>
> should be sensible on any modern OpenSSL (1.1+) or BoringSSL version.<br>
<br>
I'm a little uncomfortable having two different sets of code to do the same<br>
thing. I suppose they could be moved to portability.[ch]. The "link against both<br>
libraries" issue is back, but at least shouldn't conflict...<br>
<br>
> I tested it with the latest version of BoringSSL but it should also work with<br>
> the fips branch of BoringSSL, if that is still a thing at Google.<br>
<br>
<a href="https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips" rel="noreferrer noreferrer" target="_blank">https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips</a><br>
<br>
It's still a thing at the US Government, and all their suppliers. (Which is<br>
somewhere between 1/4 and 1/3 of the US economy: US GDP is ~$23 trillion and the<br>
2021 estimated federal spending is just under $7 trillion...)<br>
<br>
> I also tested<br>
> it with OpenSSL 1.1.1l on Alpine and 1.1.1f on Ubuntu 20.04 LTS.<br>
<br>
Sigh. Applied (while grumbling), and I _really_ need to do a cleanup pass this<br>
weekend. (And ask Denys if I can get a license to his tls implementation.)<br>
<br>
> - Eric<br>
<br>
Rob<br>
</blockquote></div></div></div>