Creating cryptographic agility with alternatives to OpenSSL
Apache HTTPD to the Rescue
However, one piece of software does support several SSL/TLS implementations, and it also has proxy capabilities. Apache HTTPD with mod_proxy supports HTTP, FTP, and HTTP CONNECT. Basically you can cover web and FTP clients and any clients that support HTTP CONNECT. To proxy a website, you can simply enable mod_proxy and configure something like:
ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/
To support the CONNECT method, you'll also need mod_proxy_connect and a configuration such as
AllowConnect port X
X is the port (by default only 443 and 563 are allowed, HTTPS, and NNTP over SSL, respectively).
Compiling with GnuTLS
Here is where things go from bad to worse. I checked quite a few software packages, and although most of them support OpenSSL, very few support anything else. To quote the Dovecot site:
Dovecot was initially built to support both OpenSSL and GNUTLS. GNUTLS has however had some problems and nowadays it does not work any more. Patches to fix it are welcome.
I suspect the other issue is that OpenSSL works well enough, so why invest significant time and effort in supporting a second SSL/TLS implementation?
I'll be honest, this article didn't go the way I wanted it to. My hope was to find some software like Stunnel that supported GnuTLS. Then, I would provide some instructions on downloading, installing, and configuring it to act as a proxy for HTTP and other protocols, such as POP and IMAP. Then, you could have installed this software as a front end, and the next time a problem cropped up in OpenSSL, you could have simply switched to GnuTLS for the duration of the emergency. Sadly, this was not the case. Instead, it seems that outside of a few limited applications, pretty much everyone supports OpenSSL and only OpenSSL. I hope this will change with time.
- OpenSSL: http://www.openssl.org/
- GnuTLS: http://www.gnutls.org/
- Network Security Services (NSS): https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
- PolarSSL: https://polarssl.org/
- LibreSSL: http://www.libressl.org/
Buy this article as PDF
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm