Author Topic: AmiSSL / OpenSSL updates to support TLSv1.1/1.2? (Read 6991 times)

slaapliedje · « **on:** October 19, 2014, 08:43:20 PM »

So I'm not sure how much any of the Amiga community pays attention to all the nasty vulnerabilities that have been hitting the world lately, but apparently SSLv3 is now pretty much considered crap, as well as TLSv1.0.

I was wondering if there are any plans to update either AmiSSL or the port of OpenSSL to a newer version that doesn't make SSL encrypted sites completely useless?

http://sourceforge.net/projects/amissl/

http://amiga.sourceforge.net/OpenSSL/

Which project is still the most developed? Kind of silly to have two 'standards' for it.

slaapliedje

slaapliedje · « **Reply #1 on:** October 22, 2014, 12:55:15 AM »

That's a great idea, Buzz. I know one of the goals of LibreSSL is to make the code base a lot smaller, but then I think a lot of the work they've been putting into that involves dropping support for legacy systems like VMS. Not sure if Amiga was on that list.

slaapliedje

slaapliedje · « **Reply #2 on:** October 25, 2014, 11:29:46 PM »

Exactly what Olsen said about IPv6, but that's not what this topic is about, it's about being able to see some sites with Amiga browsers (I know, it's weird to think we should try to make things compatible with such old things) but still something as basic a necessity as TLSv1.1 support is something I'd hope would be fairly easy to add to which every implementation is currently still being developed.

Most web servers (if they care about their clients) will start forcing at minimum TLSv1.1 (still seems to be things on the fence whether or not TLSv1.0 is vulnerable to the 'poodle' style attack. Red hat sure thinks it is).

The biggest problem with 'well who cares it's just Amiga' is that if people are completely unaware of this issue, they will think their information is secure when it really isn't. Granted you'd have to be pretty hard core to only browse the Internet with an Amiga, but I'm sure there are some of you out there that do.

I'm going to go with a car analogy here... even though they're usually horrible. Let's say they started coating specific roads for self driving cars. Of course only fancy rich folks can drive on those. Well all the stores move to those roads because that's where the money is at. While those with Dodge Dusters and sell women's shoes are stuck having to go to the crappy mall where they get mugged on a daily basis. Cops are all paid by the rich, protecting their self-driving cars.

That's pretty much the Amiga. It's a high pitched woman always spending your money, so you're stuck driving a duster to the mall to sell shoes.

slaapliedje

slaapliedje · « **Reply #3 on:** October 26, 2014, 12:13:42 AM »

Quote from: kolla;775634

You have any documentation about Apple not using IPv6 as default? I have had my Apple products on IPv6 only networks, and it worked fine, by default, out of the box.

Your dreamy ISP box is not happening anytime soon, the marked for such a device is not big enough and these days transition protocols are all about making the IPv4 world available for IPv6 only devices - _not_ the other way around, like you suggest!

How do you plan to map the vast number of IPv6 addresses out in the world to the small number of IPv4 addresses behind your magic router?

And no, it is not just IPv6 that lacking, there is also basic stuff like working path MTU discovery, anything doing with multicast (MiamiDx has a little), a whole range of DNS related issues, ancient DHCP implementations...

Well, sure they probably have it enabled by default, but it's not like they prioritize IPv6 over 4. And I'd like someone to name a single IPv6 only device. Really, I'd like to know if one exists.

You know, there's this thing called NAT... and how does having an ancient DHCP implementation affect anything but the Amiga? It still works fine with my isc-dhcp-server I'm running on my Debian box. Either way, all of this is irrelevant to the topic at hand of getting newer SSL.

slaapliedje

slaapliedje · « **Reply #4 on:** October 26, 2014, 08:25:58 PM »

Thank you to everyone who is not Kolla, who seem to support my thoughts.

For the record, 'they' really have been saying that for a very long time (14 years sounds about right). Hell, they were at least a few years ago that IPv4 was over, and everyone had to switch over to IPv6 NOW! What happened? Nothing. Even CenturyLink (my ISP) was saying that they were doing it... then when I tried to configure my modem to use IPv6, it simply didn't work. I finally managed to get it to work, so now both IPv6 and IPv4 work fine, and the whole reason NAT still works and will work forever is because you can easily have a firewall/router in place that will still translate your internal network for you so you can browse the Internet. There is no way they'll ever just drop that capability, because there are far too many systems out there that would simply stop working, and there are (non-US) countries out there who actually care about consumer rights.

It's like when Sony removed the Other OS option in the PS3. There was a huge uproar about that. Imagine if all IPv4 only devices stopped working on the Internet tomorrow?

Yes, back on topic, the support for newer versions of the SSL stack (TLS1.1 and TLS1.2) are simply needed for something that'll happen sooner than IPv6 only everywhere, and that would be HTTPS everywhere. I noticed amiga.org doesn't use https by default. I actually had to switch my server back to SSLv3 support, just so I could log into my webmail and get something I had ordered for my Amiga out of my email. (HSmathlibs) So yes, there is a reason for a networked Amiga. Could I have dropped it into an NFS share or an FTP server? Sure. It was more convenient to read it straight out of my email though.

This is pretty typical though of a lot of Amiga-related discussions. "Well who cares, I don't use that anyhow, and it's old, let it die!" Well, I am pretty sure the same SSL stack is used on OS4 and MorphOS, so wouldn't they really want to fix this?

slaapliedje

slaapliedje · « **Reply #5 on:** October 26, 2014, 08:34:24 PM »

I say we take this into consideration. HTTPS everywhere is most likely to happen far sooner than IPv6 only, especially in light of extensions like that. So we figure out how to fix AmiSSL (or other project), then work on getting IPv6 working.

While of course we get NetSurf (or other) to work with native widgets (MUI?). Would be sweet if we at least had some basic CSS support, which seems to be the way a lot of the Web is going.

As long as pages aren't using really heavy javascript, then even ibrowse is pretty fast. After I finally got my Amikit for Real set up on my A4000D, it loads pages really fast, as long as there isn't any heavy javascript.

slaapliedje

slaapliedje · « **Reply #6 on:** October 26, 2014, 09:50:06 PM »

Quote from: itix;775728

It is already fixed. OWB is using rather decent openssl 1.0.1g

http://fabportnawak.free.fr/owb/owb-morphos-1.24.readme

Like I said when it is a link library changes can be quickly adopted to the software. AmiSSL way is neat but shared libraries need more testing and active maintainers.

So my suggestion is software developers should not use AmiSSL anymore but use openssl or similar library directly. You get security fixes sooner, you cut development time and you achieve same results.

Good to know, whatever happened to the port of OWB to 3.9/m68k? I know there is an earlier build of it, but it was horribly broken last time I tried it.

slaapliedje

slaapliedje · « **Reply #7 on:** October 26, 2014, 10:21:07 PM »

Ha, yeah isn't that the painful truth.

I noticed they are finally doing something with m68k MUI (updated to 3.9 beta).

I also found this;

http://sourceforge.net/p/amissl/code/HEAD/tree/

Looks like they're updating it to OpenSSL 1.0.1i

I'm going to see if I can create a cross compiling environment (first, seems easier than getting a compiling environment under the Amiga itself). Then compile it and test it out.

Anyone try this?

http://fengestad.no/m68k-amigaos-toolchain/

slaapliedje

slaapliedje · « **Reply #8 on:** November 10, 2014, 01:03:34 AM »

https://wiki.debian.org/DebianIPv6

I figure all I'd have to do for when / if IPv4 ever goes away, is to set up a relay router as per that wiki page. But there isn't really a way for https to work this way, unless I attempt to do some sort of proxy configuration, which decrypts the info in the proxy and allows the Amiga to display it. This is possible, but not very 'secure'.

slaapliedje

slaapliedje · « **Reply #9 on:** October 17, 2016, 02:37:30 PM »

Awesome! One of the key components of keeping the Amiga 'modern'.

With how many systems the upstream source supports, I'm honestly surprised the ever dropped support for Amiga. I think it still has support for some really old systems, which is why a lot of it was ditched while making LibreSSL from what I'd read.