Feature #3282
openAdd support for AWS-LC as openssl variant
Description
Hello,
reading this report from the haproxy maintainers about The State of SSL Stacks AWS-LC seems to be good choice as TLS library and I want support for it added to lighttpd.
As a fork of boringssl most but not all changes for this variant of openssl can be added for AWS-LC. I did this in the appended patch, which compiles for me, but is far from being complete.
Files
Updated by gstrauss 3 days ago ยท Edited
- Priority changed from Normal to Low
- Target version changed from 1.4.80 to 1.4.xx
Just the other day, there was a discussion about this article on #lighttpd on IRC.
I am considering splitting out new modules lighttpd mod_boringlssl and lighttpd mod_libressl from the existing lighttpd mod_openssl since the libraries both provide more than openssl compatibility API layers.
(Please don't specify the target version in the issue when filing feature requests, especially those which might be a lot of work. Same goes for bug reports unless a tested patch is provided.)
Updated by gstrauss about 21 hours ago
AWS-LC seems to be good choice as TLS library and I want support for it added to lighttpd.
@flynn have you built and tested lighttpd mod_openssl against BoringSSL?
Have you deployed the result somewhere further than a sandbox?
The request "I want support for it" is vague. What commitments can you offer for testing and validation? (Basic compilation is not the hard part.)
lighttpd mod_openssl.c support for BoringSSL currently does not take advantage of BoringSSL CRYPTO_BUFFER and the CBS and CBB interfaces.
AWS-LC changes BORINGSSL_API_VERSION to a (different) AWSLC_API_VERSION
There are a handful of locations in mod_openssl.c which check BORINGSSL_API_VERSION against a number rather than simply #ifdef or #ifndef Further review is needed.
As a kludge, you might try the following near the top of mod_openssl.c, and then additional add two small changes from your patch: the ifdef around EVP_hpke_p256_hkdf_sha256(), and the change in sys-crypto-md.h
#ifdef OPENSSL_IS_AWSLC #ifndef BORINGSSL_API_VERSION #define BORINGSSL_API_VERSION 19 #endif #endif
I read through the following links and nothing specific jumped out at me that would affect lighttpd mod_openssl.c, though there needs to be a review of TLSv1.2 session ticket handling for what is supported by AWS-LC.
https://github.com/aws/aws-lc/blob/main/PORTING.md
https://github.com/aws/aws-lc/blob/main/docs/porting/functionality-differences.md
https://github.com/aws/aws-lc/blob/main/docs/porting/configuration-differences.md
Updated by flynn about 18 hours ago
- I read the haproxy article about the problems with openssl and thought, that lighttpd as a single threaded application is affected
- I missed the discussion about openssl on the IRC channel
- the provided patch was not intended to be included one-by-one, it should only show the effort to use the openssl compatiblity of AWS-LC is manageable following the changes for boringssl
- the patch was incomplete in the way, that I did not find the time to test all compile variants using the different possible
#definein the code - setting the target version to the next version was only for using the openssl compatiblity of AWS-LC, not for writing a own module using the AWS-LC specific API mentioned in the porting guide
If you plan to write own modules for boringssl (with an additional eye on AWS-LC) and libressl I'm fine with that and can wait and this ticket can closed without an immediate solution.
Sorry for the excitement.
Updated by gstrauss about 11 hours ago
The fact remains that you're asking for a serious commitment of time and effort to make sure AWS-LC actually works. This is not a shiny object. This is TLS. Some people in some parts of the world might depend on TLS actually working for their safety.
I read your response as saying: "I am asking for shiny thing" without any business reason or commitment of effort. That belongs on a wishlist more than the issue tracker, similar to https://redmine.lighttpd.net/boards/3/topics/11028
Also available in: Atom