Creating cryptographic agility with alternatives to OpenSSL

Apache HTTPD to the Rescue

However, one piece of software does support several SSL/TLS implementations, and it also has proxy capabilities. Apache HTTPD with mod_proxy supports HTTP, FTP, and HTTP CONNECT. Basically you can cover web and FTP clients and any clients that support HTTP CONNECT. To proxy a website, you can simply enable mod_proxy and configure something like:

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

To support the CONNECT method, you'll also need mod_proxy_connect and a configuration such as

AllowConnect port X

where X is the port (by default only 443 and 563 are allowed, HTTPS, and NNTP over SSL, respectively).

Compiling with GnuTLS

Here is where things go from bad to worse. I checked quite a few software packages, and although most of them support OpenSSL, very few support anything else. To quote the Dovecot site:

Dovecot was initially built to support both OpenSSL and GNUTLS. GNUTLS has however had some problems and nowadays it does not work any more. Patches to fix it are welcome.

I suspect the other issue is that OpenSSL works well enough, so why invest significant time and effort in supporting a second SSL/TLS implementation?

Conclusion

I'll be honest, this article didn't go the way I wanted it to. My hope was to find some software like Stunnel that supported GnuTLS. Then, I would provide some instructions on downloading, installing, and configuring it to act as a proxy for HTTP and other protocols, such as POP and IMAP. Then, you could have installed this software as a front end, and the next time a problem cropped up in OpenSSL, you could have simply switched to GnuTLS for the duration of the emergency. Sadly, this was not the case. Instead, it seems that outside of a few limited applications, pretty much everyone supports OpenSSL and only OpenSSL. I hope this will change with time.

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Server Name Indication

    Server Name Indication lets you operate more than one SSL-protected service per IP address.

  • GnuTLS Removes Questionable Extension

    Version 2.0.2 of the GnuTLS security library does without the TLS authorization extension due to threats of patent claims.

  • Charly's Column – H2O

    H2O is a web server that has been in development for some time but seems to be a baby compared with the long-serving Apache. Columnist Charly sets out to discover what the "new kid" is capable of.

  • DTLS – Encryption for UDP

    TLS encryption is wonderful if it is running over a reliable transport protocol like TCP; but if your needs call for the less reliable UDP transport, you'd better start learning about DTLS.

  • GnuTLS Version 2.0.0 Released

    Version 2.0.0 of the GnuTLS security database improves access to X.509 certificates and adds RSA with SHA-256/384/512 certificates to the crop of supported crypto approaches.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News