Author Topic: AmiSSL / OpenSSL updates to support TLSv1.1/1.2? (Read 1681 times)

slaapliedje · « **on:** October 19, 2014, 08:43:20 PM »

So I'm not sure how much any of the Amiga community pays attention to all the nasty vulnerabilities that have been hitting the world lately, but apparently SSLv3 is now pretty much considered crap, as well as TLSv1.0.

I was wondering if there are any plans to update either AmiSSL or the port of OpenSSL to a newer version that doesn't make SSL encrypted sites completely useless?

http://sourceforge.net/projects/amissl/

http://amiga.sourceforge.net/OpenSSL/

Which project is still the most developed? Kind of silly to have two 'standards' for it.

slaapliedje

itix · « **Reply #1 on:** October 19, 2014, 09:19:34 PM »

Quote from: slaapliedje;775287

So I'm not sure how much any of the Amiga community pays attention to all the nasty vulnerabilities that have been hitting the world lately, but apparently SSLv3 is now pretty much considered crap, as well as TLSv1.0.

I was wondering if there are any plans to update either AmiSSL or the port of OpenSSL to a newer version that doesn't make SSL encrypted sites completely useless?

http://sourceforge.net/projects/amissl/

http://amiga.sourceforge.net/OpenSSL/

Which project is still the most developed? Kind of silly to have two 'standards' for it.

AmiSSL is OpenSSL with Amiga library structure i.e. it is shared library. Amiga OpenSSL project is just recompile of OpenSSL with less tweaks and statically linked.

I think AmiSSL project is pretty much dead. Amiga OpenSSL on the other hand requires recompile of binaries i.e. not going to happen.

kvasir · « **Reply #2 on:** October 19, 2014, 11:37:29 PM »

Quote from: itix;775289

AmiSSL is OpenSSL with Amiga library structure i.e. it is shared library. Amiga OpenSSL project is just recompile of OpenSSL with less tweaks and statically linked.

I think AmiSSL project is pretty much dead. Amiga OpenSSL on the other hand requires recompile of binaries i.e. not going to happen.

Just got referred to this thread by asking similar question on Amigaworld.net, tried both amissl and openssl as is with no success.. (Not surprised either, though). Hoping something can be patched up so this will work again, would offer to compile this stuff, but my skills with a compiler are a bit rusty.

Hans_ · « **Reply #3 on:** October 20, 2014, 01:38:28 AM »

Quote from: itix;775289

I think AmiSSL project is pretty much dead. Amiga OpenSSL on the other hand requires recompile of binaries i.e. not going to happen.

I hope that you're wrong about AmiSSL being dead. With the SSL "poodle" vulnerability, SSL3 is set to be disabled on the bulk of servers on the internet. So, the current AmiSSL version is set to become pretty useless.

On AmigaOS4, an updated OpenSSL shared object could be compiled (for those programs that use shared objects), but a shared library really is the right way to go.

However, I notice that the last commit to the AmiSSL repository was about a month ago. So, maybe it's not dead after all...

Hans

itix · « **Reply #4 on:** October 20, 2014, 03:48:52 AM »

I was thinking about making shared library from openssl but it is impractical in many ways. API is unstable and changes from version to version and I would have to change library name every time it becomes incompatible. Then it is also easy to make small mistake in transforming build to shared library and introduce bugs that would not be there in static build. And last but not least if there are any changes to openssl code base users must wait until changes are merged and new library is built. That could take only few minutes at best but developers are not on call 24/7.

On the other hand if developers just use statically linked openssl it is more robust and security fixes can be applied without relying on other party updating library code.

It is neat idea but I am now just happy I didnt go there.

olsen · « **Reply #5 on:** October 20, 2014, 10:13:22 AM »

Quote from: slaapliedje;775287

So I'm not sure how much any of the Amiga community pays attention to all the nasty vulnerabilities that have been hitting the world lately, but apparently SSLv3 is now pretty much considered crap, as well as TLSv1.0.

I was wondering if there are any plans to update either AmiSSL or the port of OpenSSL to a newer version that doesn't make SSL encrypted sites completely useless?

http://sourceforge.net/projects/amissl/

http://amiga.sourceforge.net/OpenSSL/

Which project is still the most developed? Kind of silly to have two 'standards' for it.

slaapliedje

As far as I know AmiSSL is being worked upon, but technical difficulties with regard to the 68k build are currently making progress really, really hard.

buzz · « **Reply #6 on:** October 20, 2014, 02:51:25 PM »

Probably would be beneficial to look at something other than openssl as a base for a library on the amiga such as polarssl (https://polarssl.org/). Much smaller - I use polarssl on the original xbox for xbmc4xbox for libcurl and librtmp.

https://polarssl.org/openssl-alternative

slaapliedje · « **Reply #7 on:** October 22, 2014, 12:55:15 AM »

That's a great idea, Buzz. I know one of the goals of LibreSSL is to make the code base a lot smaller, but then I think a lot of the work they've been putting into that involves dropping support for legacy systems like VMS. Not sure if Amiga was on that list.

slaapliedje

Hans_ · « **Reply #8 on:** October 22, 2014, 08:46:29 AM »

Quote from: slaapliedje;775414

That's a great idea, Buzz. I know one of the goals of LibreSSL is to make the code base a lot smaller, but then I think a lot of the work they've been putting into that involves dropping support for legacy systems like VMS. Not sure if Amiga was on that list.

You should also consider how rigorously the code is checked for bugs, and how quickly problems are patched. Given that we're talking about a protocol for secure communications, we don't want to end up with something that has known exploits that aren't fixed quickly enough.

Hans

olsen · « **Reply #9 on:** October 22, 2014, 12:58:10 PM »

Quote from: buzz;775312

Probably would be beneficial to look at something other than openssl as a base for a library on the amiga such as polarssl (https://polarssl.org/). Much smaller - I use polarssl on the original xbox for xbmc4xbox for libcurl and librtmp.

https://polarssl.org/openssl-alternative

Contemporary Amiga software which uses the SSL/TLS functionality requires API compatibility with amissl.library, which makes a port of PolarSSL a difficult option at best.

Prior to amissl.library OpenSSL-based SSL/TLS solutions did exist, for example in Miami & Miami Deluxe, so it's not mandatory to have a single SSL library API.

However, much of the existing Amiga software that uses SSL/TLS relies upon a specific library and its API and cannot be easily changed, if it can be changed

itix · « **Reply #10 on:** October 22, 2014, 01:49:14 PM »

Quote from: olsen;775431

Contemporary Amiga software which uses the SSL/TLS functionality requires API compatibility with amissl.library, which makes a port of PolarSSL a difficult option at best.

Prior to amissl.library OpenSSL-based SSL/TLS solutions did exist, for example in Miami & Miami Deluxe, so it's not mandatory to have a single SSL library API.

However, much of the existing Amiga software that uses SSL/TLS relies upon a specific library and its API and cannot be easily changed, if it can be changed

True, and it is also the same with programs linked against openssl, like OWB.

buzz · « **Reply #11 on:** October 22, 2014, 05:11:02 PM »

Quote from: Hans_;775425

You should also consider how rigorously the code is checked for bugs, and how quickly problems are patched. Given that we're talking about a protocol for secure communications, we don't want to end up with something that has known exploits that aren't fixed quickly enough.

do some reading up on polarssl then? it is certainly in active development. It is supported by some well known software - openvpn, curl, etc.

[edit] sorry I think I misread - you are referring to the libressl fork ?

buzz · « **Reply #12 on:** October 22, 2014, 05:14:52 PM »

Quote from: olsen;775431

Contemporary Amiga software which uses the SSL/TLS functionality requires API compatibility with amissl.library, which makes a port of PolarSSL a difficult option at best.

the software could be adapted I guess, if still in development. Anyway, I was just throwing ideas out there. adapting software to use the polarssl api is not too tricky, if the source is available - unfortunately not the case very often in amiga land (Check projects like curl, librtmp, openvpn which support both). There is at least one other ssl solution out there that has an openssl compatible api - cyassl I think

polarssl is still far more suited to the amiga than openssl, and a lot easier to build/adapt.

buzz · « **Reply #13 on:** October 22, 2014, 07:25:16 PM »

Looks like polarssl does have an openssl wrapper - not sure if it is up to date/working/maintained - but if it works it would make keeping the api compatible easier.

Hans_ · « **Reply #14 on:** October 22, 2014, 09:07:12 PM »

Quote from: buzz;775441

do some reading up on polarssl then? it is certainly in active development. It is supported by some well known software - openvpn, curl, etc.

[edit] sorry I think I misread - you are referring to the libressl fork ?

I wasn't referring to anything in particular, but did have the libressl fork in mind. It sounded like a lapse in code review process may have allowed the heartbleed vulnerability into OpenSSL, which is the kind of thing that we want to avoid.

I have no idea about the coding standards of the other SSL implementations, but do think that this is worth considering. Something as critical to security as SSL needs a more rigorous development process than your typical application.

Hans

Author Topic: AmiSSL / OpenSSL updates to support TLSv1.1/1.2? (Read 1681 times)

slaapliedje

AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

itix

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

kvasir

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

Hans_

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

itix

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

olsen

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

buzz

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

slaapliedje

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

Hans_

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

olsen

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

itix

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

buzz

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

buzz

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

buzz

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

Hans_

Re: AmiSSL / OpenSSL updates to support TLSv1.1/1.2?