-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to BearSSL #14
Comments
If there's still interest, I have ported msmtp to libtls, and have been using it for a few days without any problems. I did not implement fingerprint based certificate verification (although it is possible, at least with SHA256), as it is deprecated and due to be removed in the next major version anyway. |
That's great!
Do you have a reference for that? I can see that SHA1 fingerprint is deprecated, but I don't see anything about SHA256.
I will take a look, thanks. On first glance it looks like good work. |
I don't think this is quite right. According to https://man.openbsd.org/tls_conn_version.3, the format of |
There is a comment near the beginning of tlsw_check_cert that implies so. I sent an email to the Martin Lambers (the maintainer) for clarification, and you are right, only SHA1 is deprecated. I'll try to implement fingeprint verification sometime soon.
I totally missed this, thanks for pointing it out. |
Sorry for the delay in responding, but I have fixed the issue above (and a number of other ones), and libtls support is now present upstream. |
Thanks so much for submitting this upstream. I just updated the msmtp version to latest git with libtls-bearssl and it seems to be working well. Only three left to go! |
I've banged out a proof of concept integration of libtls for nginx at https://github.com/shua/nginx/tree/tls . Is there still interest in this? Currently the code is very much a hacky addon, but I could spend more time on it to make it fit a little better and maybe upstream would accept 🤷 |
Not related to this but what is the |
We should try to use BearSSL whenever possible.
To do:
OpenSSL code is mostly contained in one file. It seems possible, but difficult to port to libtls.
Used by hashlib and ssl modules. hashlib has already ported. _ssl.c is over 6000 lines, though possibly could be ported to libtls.
Done:
Using libtls-bearssl.
Upstream in 7.68.0.
Using libtls-bearssl.
Patched to use BearSSL digests and HMAC.
Ported to use BearSSL crypto. EdDSA is disabled for now until BearSSL has an implementation.
libtls support added upstream by @noocsharp.
Using libtls-bearssl.
Ported to BearSSL (mostly). DH key exchange methods are not yet implemented.
Using libtls-bearssl.
Added an MD4 fallback.
Patched to use BearSSL HMAC-SHA256 and AES-CBC.
Patched to use BearSSL SHA1 and PRNG. Added an RC4 fallback.
Using libtls-bearssl, libx509cert, and BearSSL.
The text was updated successfully, but these errors were encountered: