X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/ae45a791cdcdf342a853ca387a68ef9efe559dc7..463df82ff3aa788584938b58434b899f3e67da41:/blog/archive/2020/06/index.html?ds=inline diff --git a/blog/archive/2020/06/index.html b/blog/archive/2020/06/index.html index c13479cbc4..9a4c54ebcd 100644 --- a/blog/archive/2020/06/index.html +++ b/blog/archive/2020/06/index.html @@ -21,6 +21,86 @@

Entries from June 2020.

+
+
+ Secure Socket API - a simple and powerful approach for TLS support in software +
+
+ 6th June 2020 +
+
+

As a member of the Norwegian Unix +User Group, I have the pleasure of receiving the +USENIX magazine +;login: +several times a year. I rarely have time to read all the articles, +but try to at least skim through them all as there is a lot of nice +knowledge passed on there. I even carry the latest issue with me most +of the time to try to get through all the articles when I have a few +spare minutes.

+ +

The other day I came across a nice article titled +"The +Secure Socket API: TLS as an Operating System Service" with a +marvellous idea I hope can make it all the way into the POSIX standard. +The idea is as simple as it is powerful. By introducing a new +socket() option IPPROTO_TLS to use TLS, and a system wide service to +handle setting up TLS connections, one both make it trivial to add TLS +support to any program currently using the POSIX socket API, and gain +system wide control over certificates, TLS versions and encryption +systems used. Instead of doing this:

+ +

+int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+

+ +

the program code would be doing this:

+ +

+int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);
+

+ +

According to the ;login: article, converting a C program to use TLS +would normally modify only 5-10 lines in the code, which is amazing +when compared to using for example the OpenSSL API.

+ +

The project has set up the +https://securesocketapi.org/ +web site to spread the idea, and the code for a kernel module and the +associated system daemon is available from two github repositories: +ssa and +ssa-daemon. +Unfortunately there is no explicit license information with the code, +so its copyright status is unclear. A +request to solve +this about it has been unsolved since 2018-08-17.

+ +

I love the idea of extending socket() to gain TLS support, and +understand why it is an advantage to implement this as a kernel module +and system wide service daemon, but can not help to think that it +would be a lot easier to get projects to move to this way of setting +up TLS if it was done with a user space approach where programs +wanting to use this API approach could just link with a wrapper +library.

+ +

I recommend you check out this simple and powerful approach to more +secure network connections. :)

+ +

As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

+ +
+
+ + + Tags: debian, english, sikkerhet, sysadmin. + + +
+
+
+
Bompenge-Norge, med noen tall fra bompengekalkulator @@ -118,7 +198,7 @@ Merk, betaling med bitcoin er ikke anonymt. :)

  • May (3)
    • -
  • June (1)
    • +
  • June (2)
    • @@ -467,7 +547,7 @@ Merk, betaling med bitcoin er ikke anonymt. :)

  • chrpath (2)
    • -
  • debian (170)
    • +
  • debian (171)
  • debian edu (159)
    • @@ -481,7 +561,7 @@ Merk, betaling med bitcoin er ikke anonymt. :)

  • drivstoffpriser (4)
    • -
  • english (417)
    • +
  • english (418)
  • fiksgatami (23)
    • @@ -549,7 +629,7 @@ Merk, betaling med bitcoin er ikke anonymt. :)

  • scraperwiki (2)
    • -
  • sikkerhet (57)
    • +
  • sikkerhet (58)
  • sitesummary (4)
    • @@ -563,7 +643,7 @@ Merk, betaling med bitcoin er ikke anonymt. :)

  • surveillance (60)
    • -
  • sysadmin (4)
    • +
  • sysadmin (5)
  • usenix (2)