On 07/20/2015 10:53 AM, Isaac Dunham wrote: > On Sun, Jul 19, 2015 at 11:47:40PM -0500, Rob Landley wrote: >>> Repo: github.com/awslabs/s2n >>> I see that "s2n/echo.c" is not quite what we want; it emits a little >>> verbiage >>> about the connection to stdout. >>> But s2n/s2nc.c seems to be roughly what we want, except for the little >>> detail >>> of how it needs URLs passed (host port, not host:port). >>> HOWEVER, be warned that this is not a full TLS stack, but a TLS >>> implementation >>> built on top of OpenSSL's crypto implementation. >> >> Sigh. Oh well. >> >> (I don't suppose there's an obvious way to glue it to dropbear?) > if ["$it" == s2n] > Not that I'm aware of. > elif ["$it" == "$wget_ssl_cmd" ] > I wouldn't know.
Getting an stunnel variant out of dropbear, since it already has the basic crypto plumbing. Various people (including me) have asked about this over the past decade: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2005q4/000295.html And the answer was more or less "patches welcome". I dug into it myself but reading the TLS RFC was quite a slog and I find the libtommath and libtomcrypt code borderline unintelligible. Never got enough traction to move it up the todo list... > Since you mention dropbear...I noticed work on an Alpine package for tinyssh; > apparently that's actually got useable code, though they don't recommend > any use other than testing yet. Last time we looked at that it _really_ wasn't ripe: http://www.landley.net/notes-2014.html#31-03-2014 https://twitter.com/gnomon/status/444978247286026241 http://lists.landley.net/pipermail/toybox-landley.net/2014-June/003468.html Dropbear's good enough I haven't looked very hard for a replacement, the problem was always it didn't do https... >>> FWIW, axtls includes an "axssl" command that's compatible with the commonly >>> used portion of openssl's syntax. >> >> Good to know, but axtls.sourceforge.net went away with the rest of >> sourceforge when they had their "hard drive crash" last week. > > Crud. I hadn't heard of that. http://www.techrepublic.com/article/its-time-to-go-away-sourceforge/ http://www.theregister.co.uk/2015/07/17/souceforge_titsup/ http://www.theregister.co.uk/2015/07/19/sourceforge_storage_fault/ Total coincidence, I'm sure. > There is a mirror somewhere on github, and I've done some small patches based > off that... > Ah, there: github.com/SuperHouse/axtls > I need to push mine to github sometime. > Upstream wasn't very active; I think that repo has the last commits from it. A mirror of the webpage would be nice. (And was there a mailing list?) I was curious what the license of this package was, so I googled and found a different tls mirror last email, and the git repo doesn't have an obvious license label (possibly I just don't know how to navigate github's web stuff). The README says "See www/index.html for the README, CHANGELOG, LICENSE and other notes." The www/index.html file is 7000 lines of javascript (a copy of "tiddlywiki") with no actual content that I can spot. Further googling found http://www.freshports.org/security/axTLS/ which claims it's 3BSD, but I can't say my impression of the project was "easy to use, well supported by an exisiting community"... > Issues to beware of: > -axTLS uses RC4 a lot. (Yes, the cipher that was just removed from SSL.) > I've got a patch I sent them not long ago that will allow disabling > RC4 as far as network protocol negotiation. > -make sure to use /dev/urandom; the fallback PRNG is home-brewed and RC4 > based. > > It's kconfig-based, which I find nice...and they managed to make that > fairly simple, rather than copying the complexity that Busybox has. I really need to write my kconfig-compatible menuconfig replacement implementation. Alas, it's one of over a dozen "I really need to do X" things on the todo list... > HTH, > Isaac Rob _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
