blog/data/2020-06-06-tls-as-os-service.txt

   1 Title: Secure Socket API - a simple and powerful approach for TLS support in software
   2 Tags: english, debian, sikkerhet, sysadmin
   3 Date: 2020-06-06 12:40
   4
   5 <p>As a member of the <a href="https://www.nuug.no/">Norwegian Unix
   6 User Group</a>, I have the pleasure of receiving the
   7 <a href="https://www.usenix.org/">USENIX</a> magazine
   8 <a href="https://www.usenix.org/publications/login/">;login:</a>
   9 several times a year.  I rarely have time to read all the articles,
  10 but try to at least skim through them all as there is a lot of nice
  11 knowledge passed on there.  I even carry the latest issue with me most
  12 of the time to try to get through all the articles when I have a few
  13 spare minutes.</p>
  14
  15 <p>The other day I came across a nice article titled
  16 "<a href="https://www.usenix.org/publications/login/winter2018/oneill">The
  17 Secure Socket API: TLS as an Operating System Service</a>" with a
  18 marvellous idea I hope can make it all the way into the POSIX standard.
  19 The idea is as simple as it is powerful.  By introducing a new
  20 socket() option IPPROTO_TLS to use TLS, and a system wide service to
  21 handle setting up TLS connections, one both make it trivial to add TLS
  22 support to any program currently using the POSIX socket API, and gain
  23 system wide control over certificates, TLS versions and encryption
  24 systems used.  Instead of doing this:</p>
  25
  26 <p><blockquote><pre>
  27 int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  28 </pre></blockquote></p>
  29
  30 <p>the program code would be doing this:<p>
  31
  32 <p><blockquote><pre>
  33 int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);
  34 </pre></blockquote></p>
  35
  36 <p>According to the ;login: article, converting a C program to use TLS
  37 would normally modify only 5-10 lines in the code, which is amazing
  38 when compared to using for example the OpenSSL API.</p>
  39
  40 <p>The project has set up the
  41 <a href="https://securesocketapi.org/">https://securesocketapi.org/</a>
  42 web site to spread the idea, and the code for a kernel module and the
  43 associated system daemon is available from two github repositories:
  44 <a href="https://github.com/markoneill/ssa">ssa</a> and
  45 <a href="https://github.com/markoneill/ssa-daemon">ssa-daemon</a>.
  46 Unfortunately there is no explicit license information with the code,
  47 so its copyright status is unclear.  A
  48 <a href="https://github.com/markoneill/ssa/issues/2">request to solve
  49 this</a> about it has been unsolved since 2018-08-17.</p>
  50
  51 <p>I love the idea of extending socket() to gain TLS support, and
  52 understand why it is an advantage to implement this as a kernel module
  53 and system wide service daemon, but can not help to think that it
  54 would be a lot easier to get projects to move to this way of setting
  55 up TLS if it was done with a user space approach where programs
  56 wanting to use this API approach could just link with a wrapper
  57 library.</p>
  58
  59 <p>I recommend you check out this simple and powerful approach to more
  60 secure network connections. :)</p>
  61
  62 <p>As usual, if you use Bitcoin and want to show your support of my
  63 activities, please send Bitcoin donations to my address
  64 <b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>