← Back to context

Comment by byuu

11 years ago

Here's my current issue with moving to TLS: library support.

I do a lot of custom stuff and want to run my own server. I can set up and run the server in maybe 50-100 lines of code, and it works great.

I know, I should conform and use Apache/nginx/OpenSSL like everyone else. Because they're so much more secure, right? By using professional code like the aforementioned, you won't get exposed to exploits like Heartbleed, Shellshock, etc.

But me, being the stubborn one I am, I want to just code up a site. I can open up a socket, parse a few text lines, and voila. Web server. Now I want to add TLS and what are my options?

OpenSSL, crazy API, issues like Heartbleed.

libtls from LibreSSL, amazing API, not packaged for anything but OpenBSD yet. Little to no real world testing.

Mozilla NSS or GnuTLS, awful APIs, everyone seems to recommend against them.

Obscure software I've never heard of: PolarSSL, MatrixSSL. May be good, but I'm uneasy with it since I don't know anything about them. And I have to hope they play nicely with all my environments (Clang on OS X, Visual C++ on Windows, GCC on Linux and BSD) and package managers.

Write my own. Hahah. Hahahahahahahahah. Yeah. All I have to do is implement AES, Camellia, DES, RC4, RC5, Triple DES, XTEA, Blowfish, MD5, MD2, MD4, SHA-1, SHA-2, RSA, Diffie-Hellman key exchange, Elliptic curve cryptography (ECC), Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve DSA (ECDSA); and all with absolutely no errors (and this is critical!), and I'm good to go!

I'm not saying encryption should be a breeze, but come on. I want this in <socket.h> and available anywhere. I want to be able to ask for socket(AF_INET, SOCK_STREAMTLS, 0), call setsockcert(certdata, certsize) and be ready to go.

Everything we do in computer science is always about raising the bar in terms of complexity. Writing software requires larger and larger teams, and increasingly there's the attitude that "you can't possibly do that yourself, so don't even try." It's in writing operating systems, writing device drivers, writing web browsers, writing crypto software, etc.

I didn't get into programming to glue other people's code together. I want to learn how things work and write them myself. For once in this world, I'd love it if we could work on reducing complexity instead of adding to it.

6 comments

byuu

Reply
IgorPartola  11 years ago

Wow, of all the arguments I could think of against the current CA/TLS/HTTPS situation, a hobbyist deciding to write their own web server would not be one of them... Yes, you should just conform and stop doing this. Or at the very least you could let another process to TLS termination and just handle HTTP if you really want to create your own off-by-one remote code execution errors instead of using the ones supplied by apache et al.

  • byuu  11 years ago

    > a hobbyist deciding to write their own web server would not be one of them

    nginx started out as a hobby project by Igor Sysoev. Maybe he should have just used Apache too?

    > Or at the very least you could let another process to TLS termination and just handle HTTP

    A well-designed HTTPS->HTTP proxy package could work. Install proxy, and requests to it on 443 fetch localhost:80 (which you could firewall off externally if you wanted) and feed it back as HTTPS. Definitely not optimal, especially if it ends up eating a lot of RAM or limiting active connections, but it would be a quick-and-dirty method that would work for smaller sites.

    But it won't handle other uses of TLS, such as if you wanted to use smtp.gmail.com, which requires STARTTLS. Or maybe you want to write an application that uses a new custom protocol, and want to encrypt that.

    If you put this stuff into libc, and get it ISO standardized and simplified, and have it present out of the box with your compilers on each OS, then you'll open the door for developers to more easily take advantage of TLS encryption everywhere.

    Look at the core API for GnuTLS: http://www.gnutls.org/manual/html_node/Core-TLS-API.html

    This is just insane. It would take an average developer months to fully understand that API.

    • IgorPartola  11 years ago

      FWIW, Igor did code up nginx to support HTTPS, despite terrible SSL libraries :)

      I don't really understand the problem you are having. If your sites are small personal/side projects, why worry about things like your web server? That stuff is so trivial, it's boring. If your sites are so large that the overhead that HTTPS has over HTTP makes that much of a difference (pretty sure that'd be Google, Facebook, Twitter, and nobody else), then why use your own server implementation which you must know contains more bugs than something like nginx which is already blazing fast. All of these things are a solved problem, there is no reason to solve them again unless you are explicitly developing a web server, an email relay, etc. If so, that's awesome, but in 2014 if you develop a web server that doesn't work with HTTPS, it's pretty much dead on arrival.

      Having said that, check out http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/.... This sounds like exactly what you need.

      2 replies →

Ono-Sendai  11 years ago

I'm in a similar position to you. LibTLS looks promising, but as you said, it's not tested (and not portable yet?)