Creating cryptographic agility with alternatives to OpenSSL
Apache HTTPD to the Rescue
However, one piece of software does support several SSL/TLS implementations, and it also has proxy capabilities. Apache HTTPD with mod_proxy supports HTTP, FTP, and HTTP CONNECT. Basically you can cover web and FTP clients and any clients that support HTTP CONNECT. To proxy a website, you can simply enable mod_proxy and configure something like:
ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/
To support the CONNECT method, you'll also need mod_proxy_connect and a configuration such as
AllowConnect port X
X is the port (by default only 443 and 563 are allowed, HTTPS, and NNTP over SSL, respectively).
Compiling with GnuTLS
Here is where things go from bad to worse. I checked quite a few software packages, and although most of them support OpenSSL, very few support anything else. To quote the Dovecot site:
Dovecot was initially built to support both OpenSSL and GNUTLS. GNUTLS has however had some problems and nowadays it does not work any more. Patches to fix it are welcome.
I suspect the other issue is that OpenSSL works well enough, so why invest significant time and effort in supporting a second SSL/TLS implementation?
I'll be honest, this article didn't go the way I wanted it to. My hope was to find some software like Stunnel that supported GnuTLS. Then, I would provide some instructions on downloading, installing, and configuring it to act as a proxy for HTTP and other protocols, such as POP and IMAP. Then, you could have installed this software as a front end, and the next time a problem cropped up in OpenSSL, you could have simply switched to GnuTLS for the duration of the emergency. Sadly, this was not the case. Instead, it seems that outside of a few limited applications, pretty much everyone supports OpenSSL and only OpenSSL. I hope this will change with time.
- OpenSSL: http://www.openssl.org/
- GnuTLS: http://www.gnutls.org/
- Network Security Services (NSS): https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
- PolarSSL: https://polarssl.org/
- LibreSSL: http://www.libressl.org/
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.