Replacing OpenSSL Library with a Light Weight SSL Library
Deepak
31 March 2011, 15:24
Hiawatha version: hiawatha-7.4
Operating System: Linux
Hi,
I am interested in using Hiawatha web server for one of my projects. However, Hiawatha uses OpenSSL library which is quite heavy weight (memory foot print wise).
I am interested in replacing OpenSSL with a light weight SSL library. For that I would need to replace OpenSSL data structures used in Hiawatha structures and replace calls to OpenSSL library functions.
I need to know how complex would it be to replace OpenSSL with some other library. Does Hiawatha design provide the concept of SSL handlers which can be either OpenSSL library handler or some other library handler?
Does there exist a version of Hiawatha web server that can be used on either of SSL library based on configuration settings? Or Has anyone ported Hiawatha over some other SSL library?
Thanks,
Deepak
Hugo Leisink
31 March 2011, 20:28
All SSL stuff is in libssl.c and libssl.h. My guess is that you can keep the interface the same when using another SSL library. Just change libssl.c.
When you got something working, are you willing to share it with me?
Deepak
5 April 2011, 08:29
Hi,
I am aware that SSL functionalities are placed in libssl.c and libssl.h files. Also in other parts of code SSL functionalities are used under flag HAVE_SSL.
Problem I foresee in replacing OpenSSL with other light weight library is that Hiawatha code uses OpenSSL thread functions to register for callback functions for synchronization (locking mechanism). Such functionalities are not quite present in other libraries, so I may need to change Hiawatha code for proper synchronization. Also there rarely exists one-to-one mapping of all OpenSSL functions in other libraries.
Is there any version of Hiawatha, that uses other SSL library on basis of configuration may be through a conf file?
Regards,
Deepak
Hugo Leisink
5 April 2011, 10:38
The reason why Hiawatha uses the OpenSSL callback functions is because OpenSSL requires is because of it's bad support for multithreaded applications. A better written SSL library shouldn't need such callback functions. So, you probably don't have to worry about that. I've read that GnuTLS has an OpenSSL compatible API. So, you probably want to start with that one.
Personally, I really hate OpenSSL. It's badly documented, the code is horrible and the need for callback functions in multithreaded applications is ridiculous. Therefor I'm really interested in your plans to replace OpenSSL with some other SSL library in Hiawatha. The only requirement I have is that the other SSL library is supported by all mainstream operatings systems. At least Debian, Fedora, Gentoo, Slackware, SuSE, FreeBSD, OpenBSD, MacOS X and Gygwin.
I really appreciate it if you could make the new library optional via a parameter of the configure script. So users can chose which SSL library they want to use in Hiawatha.
There is no other Hiawatha version that uses a different SSL library.
Deepak
5 April 2011, 11:34
Thanks for the inputs.
Currently I am in the phase of analyzing the feasibility of porting OpenSSL in Hiawatha vis-a-vis some other options. I shall share further inputs in due course of time.
Regards,
Deepak
Deepak
15 April 2011, 14:06
Hi,
I am pondering over a light weight SSL library to replace OpenSSL. I have managed to find a library which implements majority of functionalities of OpenSSL used by Hiawatha for SSL support.
However there are few OpenSSL APIs which Hiawatha uses, that are not covered by that library. I am mostly commenting out portions of Hiawatha code for such cases. I am listing below few of the APIs which I will be commenting out. Please let me know if they would majorly hamper the working of the web server and in what ways.
1. The Light SSL Library, does not support DH data structure and related functions in load_dh_params like PEM_read_bio_DHparams and SSL_CTX_set_tmp_dh for reading DH parameters from Bio and setting in CTX.
As a result I am commenting out call to the function "load_dh_params" in Hiawatha. IMO, this should not majorly affect Hiawatha if we do not provide support for Deffie Helman.
2. SSL_CTX_set_options ? not supported in Light SSL Library. Hence commenting out in Hiawatha where it indicates no SSL v2 support.
3. SSL_CTX_set_verify_depth - not supported in Light SSL Library. Hence commenting out in Hiawatha.
4. ERR_remove_state not implemented either.
5. SSL_CTX_check_private_key, SSL_load_client_CA_file and SSL_CTX_set_client_CA_list are not supported in Light SSL Library.
Made dummy functions returning 0.
IMO, lack of SSL_CTX_check_private_key may majorly affect the proper working of the web server. Please let me know your views.
Also, absence of SSL_load_client_CA_file and SSL_CTX_set_client_CA_list may affect if web server would like to authenticate Client certificate.
Kindly let me know your comments.
Thanks,
Deepak
Hugo Leisink
16 April 2011, 20:27
Well, if you ask me, that's a lot of things that are not supported. Not quite a good replacement.
This topic has been closed.