AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

[Hans_]

I think AmiSSL project is pretty much dead. Amiga OpenSSL on the other hand requires recompile of binaries i.e. not going to happen.

I hope that you're wrong about AmiSSL being dead. With the SSL "poodle" vulnerability, SSL3 is set to be disabled on the bulk of servers on the internet. So, the current AmiSSL version is set to become pretty useless.

On AmigaOS4, an updated OpenSSL shared object could be compiled (for those programs that use shared objects), but a shared library really is the right way to go.

However, I notice that the last commit to the AmiSSL repository was about a month ago. So, maybe it's not dead after all...

Hans

[Hans_]

That's a great idea, Buzz.  I know one of the goals of LibreSSL is to make the code base a lot smaller, but then I think a lot of the work they've been putting into that involves dropping support for legacy systems like VMS.  Not sure if Amiga was on that list.

You should also consider how rigorously the code is checked for bugs, and how quickly problems are patched. Given that we're talking about a protocol for secure communications, we don't want to end up with something that has known exploits that aren't fixed quickly enough.

Hans

[Hans_]

do some reading up on polarssl then? it is certainly in active development. It is supported by some well known software - openvpn, curl, etc.

[edit] sorry I think I misread - you are referring to the libressl fork ?

I wasn't referring to anything in particular, but did have the libressl fork in mind. It sounded like a lapse in code review process may have allowed the heartbleed vulnerability into OpenSSL, which is the kind of thing that we want to avoid.

I have no idea about the coding standards of the other SSL implementations, but do think that this is worth considering. Something as critical to security as SSL needs a more rigorous development process than your typical application.

Hans

[Hans_]

My point is that, since noone even cares about fixing the situation of the IP stack, I see little point in fixing the SSL situation. And regardless, AmigaOS was not developed with security in mind - _any_ crypting solution on Amiga systems is nothing but FAIL, since any program can sniff around anywhere in the memory. I don't know if MorphOS or OS4 developers take measures, using MMU for example, to sandbox and protect memory where decryptet data is stored, but for sure on AmigaOS this is not the case.

Sure, the local security will be the weak point in the chain, but SSL/TLS still prevents communications from being snooped on as the packets are relayed through the internet. Plus, there's a slow trend toward websites being HTTPS only (Google's pushing for this).

Hans

[Hans_]

Regarding IPv6, I checked with peers on an IPv6 forum to make sure there's nothing I have overlookef, and they all agree with me. Only solution would be a stateful NAT46/DNS46 implementation, something that has not been done yet, and it would be very cumbersome and inpractical since you simply cannot map 128bit address space into a 32bit address space. And do no expect ISPs to fix this, they are steadily moving towards IPv6 only to customers, many of them already use IPv6 only for management. It is coming and sooner than you think now.

I recently read an article in an IEEE magazine about IP protocol extensions that adds several billion addresses in a way that's backward compatible to existing IPv4 stacks. I think that they're all based on this doc, but I can't find the article. These extensions could keep IPv4 running for a while longer while they wait for IPv6 to be more widely deployed.

Hans