AmiSSL / OpenSSL updates to support TLSv1.1/1.2?

[itix]

So I'm not sure how much any of the Amiga community pays attention to all the nasty vulnerabilities that have been hitting the world lately, but apparently SSLv3 is now pretty much considered crap, as well as TLSv1.0.  

I was wondering if there are any plans to update either AmiSSL or the port of OpenSSL to a newer version that doesn't make SSL encrypted sites completely useless?

http://sourceforge.net/projects/amissl/

http://amiga.sourceforge.net/OpenSSL/

Which project is still the most developed?  Kind of silly to have two 'standards' for it.

AmiSSL is OpenSSL with Amiga library structure i.e. it is shared library. Amiga OpenSSL project is just recompile of OpenSSL with less tweaks and statically linked.

I think AmiSSL project is pretty much dead. Amiga OpenSSL on the other hand requires recompile of binaries i.e. not going to happen.

[itix]

I was thinking about making shared library from openssl but it is impractical in many ways. API is unstable and changes from version to version and I would have to change library name every time it becomes incompatible. Then it is also easy to make small mistake in transforming build to shared library and introduce bugs that would not be there in static build. And last but not least if there are any changes to openssl code base users must wait until changes are merged and new library is built. That could take only few minutes at best but developers are not on call 24/7.

On the other hand if developers just use statically linked openssl it is more robust and security fixes can be applied without relying on other party updating library code.

It is neat idea but I am now just happy I didnt go there.

[itix]

Contemporary Amiga software which uses the SSL/TLS functionality requires API compatibility with amissl.library, which makes a port of PolarSSL a difficult option at best.

Prior to amissl.library OpenSSL-based SSL/TLS solutions did exist, for example in Miami & Miami Deluxe, so it's not mandatory to have a single SSL library API.

However, much of the existing Amiga software that uses SSL/TLS relies upon a specific library and its API and cannot be easily changed, if it can be changed

True, and it is also the same with programs linked against openssl, like OWB.

[itix]

Aren't most IP stacks based largely on the BSD reference?  Even if written from scratch, I don't think IPv4 has changed much at all in recent years.

I think the message kolla is trying to get through that they lack IPv6 support. And even they did our web applications need to be updated to support IPv6.

Havent still noticed any problems, yet.

[itix]

This is pretty typical though of a lot of Amiga-related discussions.  "Well who cares, I don't use that anyhow, and it's old, let it die!"  Well, I am pretty sure the same SSL stack is used on OS4 and MorphOS, so wouldn't they really want to fix this?

It is already fixed. OWB is using rather decent openssl 1.0.1g

http://fabportnawak.free.fr/owb/owb-morphos-1.24.readme

Like I said when it is a link library changes can be quickly adopted to the software. AmiSSL way is neat but shared libraries need more testing and active maintainers.

So my suggestion is software developers should not use AmiSSL anymore but use openssl or similar library directly. You get security fixes sooner, you cut development time and you achieve same results.

[itix]

Good to know, whatever happened to the port of OWB to 3.9/m68k?  I know there is an earlier build of it, but it was horribly broken last time I tried it.

OWB relies heavily on MUI4 so it is not easy to port it to 3.9. It would need someone who know MUI quite well. And you have to get latest openssl compiled. It should be fairly easy (I suppose so) but all those little details add up.

Problem with 68k Amiga is there is no team maintaining development system and APIs are not actively updated. So this topic, AmiSSL / OpenSSL updates comes to the fact that we (well, you) need a team behind Amiga.