[Solved] cleanup of OpenSSL

Added by mchalain 9 months ago

Hello Happy World,

I worked on the port of mbedtls in place of openssl.
My first step was to cleanup the specific code of OpenSSL to move it in only one file and to have an API to use with mbedtls.

Then I join a collection of patches that move the code slowly and minimize the modifications into the sequences.
Some patches are more important than the others:
0009-openssl-store-specific_config-into-srv_socket.patch : this patch is not dangerous but the modification may be use to simplify some other part of the code.
0011-openssl-manage-tlsext_server_name-into-connection.patch : the tlsext_server_name is allocated only for HTTPS connection, but I didn't find configuration to allow to use it.
0012-openssl-move-SSL-configuration-into-new-function.patch : the connection configuration copied all variables. This patch copy the SSL configuration only for a HTTPS connection.
0014-opensll-anonymize-SLL-variables-into-base.h.patch : the certificates variables were copied into each connection, but they were the same for each server_socket. Then this patch copy a pointer to a structure that contains the variables.

Before to continue I would like to discuss about this patches, to be sure that I didn't take the wrong way.

My next step will be to create a mod_openssl but this may introduce some bugs and regressions. Then the cleanup has to be ready before to begin this step.

Best regards, merry Christmas and see you next year,

Replies (9)

RE: cleanup of OpenSSL - Added by mchalain 9 months ago

:-( I didn't see that you moved the project on github and I started from redmine repository...

Then 3 days of work for nothing

RE: cleanup of OpenSSL - Added by mchalain 9 months ago

OK the diff between github and redmine are very smalls.
But Now I do a pull request on github

RE: cleanup of OpenSSL - Added by gstrauss 9 months ago

Thanks for the effort! I'll take a closer look in the next few days.

I had hoped you would see my update to where I ported mod_openssl from a (diverged) development branch and pushed so that you could see its state.

Even if some of the work has been duplicated, I am sure that your changes will be useful to inform me how you were approaching the module and what you need to further developing mbedtls module for lighttpd. Cheers.

RE: [Solved] cleanup of OpenSSL - Added by BingoNightly 5 months ago

Did this go anywhere? On an embedded system running lighty and mbedTLS would let me throw out over 2 MB of OpenSSL stuff...

RE: [Solved] cleanup of OpenSSL - Added by gstrauss 5 months ago

It went as far as I took it and documented in the links above. lighttpd git master collects openssl code into mod_openssl.c, creating an isolated module that can be a starting point for using other TLS libraries in lighttpd, without having to modify code in many different lighttpd core files.

It would appear that Marc chose something else for his school project, as he lost focus on making changes for mbedTLS.

RE: [Solved] cleanup of OpenSSL - Added by BingoNightly 5 months ago

Thanks. Well, I suppose it may fall to me to take up the gauntlet then, at least for my own use (but I'll try not to be a complete hack). Getting everything in one place is certainly the foundation I need, so thanks for that, and mbedTLS is WAY easier to code to than OpenSSL...SO HOW HARD CAN IT BE? (cough) Just need to sneak this little "side project" past my boss. (I'll pop onto IRC if I get into this and have questions...)

RE: [Solved] cleanup of OpenSSL - Added by BingoNightly 4 months ago

Just a note here in case anyone else has interest, I just pushed a VERY minimal working mod_mbedtls on the mbedtls-master branch here

RE: [Solved] cleanup of OpenSSL - Added by gstrauss 4 months ago

BingoNightly, I reviewed your branch mbedtls-master, made some changes, and pushed to branch mbedtls-master
Not tested, but hopefully gives you some feedback. Thanks for the effort. Let's see where we can go from here.