As a member of the Norwegian Unix +User Group, I have the pleasure of receiving the +USENIX magazine +;login: +several times a year. I rarely have time to read all the articles, +but try to at least skim through them all as there is a lot of nice +knowledge passed on there. I even carry the latest issue with me most +of the time to try to get through all the articles when I have a few +spare minutes.
+ +The other day I came across a nice article titled +"The +Secure Socket API: TLS as an Operating System Service" with a +marvellous idea I hope can make it all the way into the POSIX standard. +The idea is as simple as it is powerful. By introducing a new +socket() option IPPROTO_TLS to use TLS, and a system wide service to +handle setting up TLS connections, one both make it trivial to add TLS +support to any program currently using the POSIX socket API, and gain +system wide control over certificates, TLS versions and encryption +systems used. Instead of doing this:
+ ++ ++int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); +
the program code would be doing this:
+ +
+ ++int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS); +
According to the ;login: article, converting a C program to use TLS +would normally modify only 5-10 lines in the code, which is amazing +when compared to using for example the OpenSSL API.
+ +The project has set up the +https://securesocketapi.org/ +web site to spread the idea, and the code for a kernel module and the +associated system daemon is available from two github repositories: +ssa and +ssa-daemon. +Unfortunately there is no explicit license information with the code, +so its copyright status is unclear. A +request to solve +this about it has been unsolved since 2018-08-17.
+ +I love the idea of extending socket() to gain TLS support, and +understand why it is an advantage to implement this as a kernel module +and system wide service daemon, but can not help to think that it +would be a lot easier to get projects to move to this way of setting +up TLS if it was done with a user space approach where programs +wanting to use this API approach could just link with a wrapper +library.
+ +I recommend you check out this simple and powerful approach to more +secure network connections. :)
+ +As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.
+