Starting over with...SSLRef?
Anyway, the point of this is that I remember SSLRef being decent code. Debugging it was fairly simple and it had a pretty good structure, which is very different than SSLeay/OpenSSL. This makes me wonder if it could serve as the basis for a replacement for OpenSSL.
It looks like Apple uses SSLRef in some capacity and the source code is available at http://www.opensource.apple.com/source/Security/Security-30.1/SecureTransport/
To be clear, I understand that the license of this code is a problem (perhaps the current copyright holder could donate it?). I also understand that we've learned a lot about various attacks against SSL/TLS since it was written and it surely has not been patched to resolve them. It also does not currently support TLS.
However...assuming the code could be/has been re-licensed by whoever owns it today, would it make sense to use SSLRef as a starting point for an OpenSSL replacement? I mean, wouldn't that be better than starting over with new implementation?
1 comment
[ 0.25 ms ] story [ 10.0 ms ] threadHow does NSS compare to SSLRef?
SSLRef was an early reference implementation of the SSL protocol. It contains bugs that were never fixed, doesn't support TLS or or the new 56-bit export cipher suites, and does not contain the fix to the Bleichenbacher attack on PKCS#1.
Netscape no longer maintains SSLRef or makes it available. It was built as an example of an SSL implementation, not for creating production applications.
NSS was designed from the ground up for use by commercial developers. It provides a complete software development kit that uses the same architecture used to support security features in many client and server products from Netscape and other companies.