[ECOS] On Porting OpenSSL v1.0.0c

[ECOS] On Porting OpenSSL v1.0.0c

[Michael Bergandi]

Hello all,

I would like to know if there is someone interested or already working on a port
of the latest OpenSSL library to eCos. If you are or know someone who
is, I would
love to know about it so that we are not duplicating efforts.

In doing some online research regarding OpenSSL on eCos, I came across
the old port of OpenSLL by Andrew Lunn that claims to be updated to the v0.9.6b
code base. However, that port is quite dated (going on 9 years old)
and the current
code base is much much different now.

I also came across a note from Andres in the archives in response to someone
else's inquiry about using the SSL portion of the library:

> Please not that i only used some of the encryption algorithms and
> diffie Hellman from it. I've not used SSL. So expect it to be broken
> and require some work. You may be luck and its works perfectly.
>
> If you do plan on update to a newer version of OpenSSL, please let me
> know, i have a few suggestions....
>
>    Andrew

Well, Andrew, if you are listening, I'm all ears...

The project I am working on will be using SSL to provide a secure web
interface for device configuration. In addition, we want to leverage
the encryption module on our processor (mx27) to get some hardware
acceleration for our other encryption needs. The ENGINE interface, in
particular, is the primary reason for our desire to go ahead and port
the latest OpenSSL to eCos.

So, again, if anyone wants to be a part of this effort or can be there to offer
guidance along the way, please let me know and we can collaborate.

Thanks for you interest and comments,

-- 
Michael Bergandi

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] On Porting OpenSSL v1.0.0c

[Alex Schuilenburg]

Hi Michael,

On 2010-12-07 16:32, Michael Bergandi wrote:
> Hello all,
>
> I would like to know if there is someone interested or already working on a port
> of the latest OpenSSL library to eCos. If you are or know someone who
> is, I would
> love to know about it so that we are not duplicating efforts.
FWIW, eCosCentric already provide a port of the OpenSSL library to eCos:
http://www.ecoscentric.com/ecospro/doc.cgi/html/openssl-book/openssl-ecos-chapter.html

You may wish to contact us on info@ecoscentric.com for details, pricing
and support of the commercially supported OpenSSL  package.

Sincerely
-- 

Alex Schuilenburg

Managing Director/CEO                                eCosCentric Limited
Tel:  +44 1223 245571                     Barnwell House, Barnwell Drive
Fax:  +44 1223 248712                             Cambridge, CB5 8UU, UK
www.ecoscentric.com             Reg in England and Wales, Reg No 4422071



-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: On Porting OpenSSL v1.0.0c

[Michael Bergandi]

On Tue, Dec 7, 2010 at 11:32 AM, Michael Bergandi <mbergandi@gmail.com> wrote:
>
> Hello all,
>
> I would like to know if there is someone interested or already working on a port
> of the latest OpenSSL library to eCos. If you are or know someone who
> is, I would
> love to know about it so that we are not duplicating efforts.
>
> In doing some online research regarding OpenSSL on eCos, I came across
> the old port of OpenSLL by Andrew Lunn that claims to be updated to the v0.9.6b
> code base. However, that port is quite dated (going on 9 years old)
> and the current
> code base is much much different now.
>
> I also came across a note from Andres in the archives in response to someone
> else's inquiry about using the SSL portion of the library:
>
> > Please not that i only used some of the encryption algorithms and
> > diffie Hellman from it. I've not used SSL. So expect it to be broken
> > and require some work. You may be luck and its works perfectly.
> >
> > If you do plan on update to a newer version of OpenSSL, please let me
> > know, i have a few suggestions....
> >
> >    Andrew
>
> Well, Andrew, if you are listening, I'm all ears...
>
> The project I am working on will be using SSL to provide a secure web
> interface for device configuration. In addition, we want to leverage
> the encryption module on our processor (mx27) to get some hardware
> acceleration for our other encryption needs. The ENGINE interface, in
> particular, is the primary reason for our desire to go ahead and port
> the latest OpenSSL to eCos.
>
> So, again, if anyone wants to be a part of this effort or can be there to offer
> guidance along the way, please let me know and we can collaborate.
>
> Thanks for you interest and comments,
>
> --
> Michael Bergandi

Perhaps this inquiry is better suited for the ecos-devel mailing list?

--
Michael Bergandi

--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] Re: On Porting OpenSSL v1.0.0c

[Sergei Gavrikov]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2632 bytes --]

On Thu, 9 Dec 2010, Michael Bergandi wrote:

> On Tue, Dec 7, 2010 at 11:32 AM, Michael Bergandi wrote:
> >
> > Hello all,
> >
> > I would like to know if there is someone interested or already
> > working on a port of the latest OpenSSL library to eCos. If you are
> > or know someone who is, I would love to know about it so that we are
> > not duplicating efforts.
> >
> > In doing some online research regarding OpenSSL on eCos, I came
> > across the old port of OpenSLL by Andrew Lunn that claims to be
> > updated to the v0.9.6b code base. However, that port is quite dated
> > (going on 9 years old) and the current code base is much much
> > different now.
> >
> > I also came across a note from Andres in the archives in response to
> > someone else's inquiry about using the SSL portion of the library:
> >
> > > Please not that i only used some of the encryption algorithms and
> > > diffie Hellman from it. I've not used SSL. So expect it to be
> > > broken and require some work. You may be luck and its works
> > > perfectly.
> > >
> > > If you do plan on update to a newer version of OpenSSL, please let
> > > me know, i have a few suggestions....
> > >
> > >    Andrew
> >
> > Well, Andrew, if you are listening, I'm all ears...
> >
> > The project I am working on will be using SSL to provide a secure
> > web interface for device configuration. In addition, we want to
> > leverage the encryption module on our processor (mx27) to get some
> > hardware acceleration for our other encryption needs. The ENGINE
> > interface, in particular, is the primary reason for our desire to go
> > ahead and port the latest OpenSSL to eCos.
> >
> > So, again, if anyone wants to be a part of this effort or can be
> > there to offer guidance along the way, please let me know and we can
> > collaborate.
> >
> > Thanks for you interest and comments,
> >

Hi,

My 2 cents:

I would look at PolarSSL
1) http://polarssl.org/features
2) http://polarssl.org/licensing

IMO, point #2 is valuable thing to port PolarSSL to eCos.

Yet another candidate with dual licensing also would be... yaSSL
http://www.yassl.com/yaSSL/License.html

However, IANAL.

But, both these SSL libraries were designed with a word "embedded" in a
mind.

Well, OpenSSL has much muscles, but, What's about thin SSL for embedded
World (=eCos)?

Thanks,
Sergei

> > --
> > Michael Bergandi
> 
> Perhaps this inquiry is better suited for the ecos-devel mailing list?
> 
> --
> Michael Bergandi
> 
> --
> Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
> and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
> 

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] Re: On Porting OpenSSL v1.0.0c

[Michael Bergandi]

Sergei,

> My 2 cents:
>
> I would look at PolarSSL
> 1) http://polarssl.org/features
> 2) http://polarssl.org/licensing
>
> IMO, point #2 is valuable thing to port PolarSSL to eCos.

Looks Ok, but I see no mention of an interface to encryption hardware
accelerators.
That is a big sticking point for us.

>
> Yet another candidate with dual licensing also would be... yaSSL
> http://www.yassl.com/yaSSL/License.html

This project seems very young and doesn't seem to have a very big user or
developer base. Too high risk for a commercial product.

>
> However, IANAL.
>
> But, both these SSL libraries were designed with a word "embedded" in a
> mind.
>
> Well, OpenSSL has much muscles, but, What's about thin SSL for embedded
> World (=eCos)?

Yes, I know OpenSSL is overkill for most embedded security needs. However,
it is the most active, used, and tested tested of any SSL library. It has a long
history and doesn't seem to be going away anytime in the near future.

It also has some focus on using encryption hardware accelerators through their
ENGINE interface. Although, it currently has some limitations, but
it's a start in
the right direction.

Also, the OpenSSL code is pretty modular. I think I can slice and dice it and
make it configurable enough that the memory footprint would be reasonable
for the desired functionality.

For these reasons, I think an open port of OpenSSL to eCos would be worthwhile.

I would still like to hear if this is of interest to anyone else and
get some input from
the eCos maintainers.

I know those from eCosCentric probably aren't too happy to hear about the
possibilities of a completely open port of the latest OpenSSL library for eCos,
since this would be in direct opposition to their ecos-SecureSockets product
(which is a closed port of OpenSSL v1.0.0a).

>>
>> Perhaps this inquiry is better suited for the ecos-devel mailing list?

I would still like to know the answer to this, before I go off and upset someone
for cross posting.

-- 
Michael Bergandi

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] PolarSSL [Was: On Porting OpenSSL v1.0.0c]

[Sergei Gavrikov]

[Fork thread]

FYI: SSL for silly H/W

Michael Bergandi wrote:
> Sergei,
> 
> Sergei Gavrikov wrote:
> > My 2 cents:
> >
> > I would look at PolarSSL
> > 1) http://polarssl.org/features
> > 2) http://polarssl.org/licensing
> >
> > IMO, point #2 is valuable thing to port PolarSSL to eCos.
> 
> Looks Ok, but I see no mention of an interface to encryption hardware
> accelerators.  That is a big sticking point for us.

Michael, I get it. Excuse this fork, maybe it's interesting to know.

As an getting the 'libpolarssl.a' for eCos took only 10 minutes (project
follows great coding style) and library's size was <160K, I will stick
on it and I hope I will try to test it this weekend. However, this was
my first look.

At least I got 3 simple SSL (PolarSSL) execs for eCos (2 clients and 1
server) for testing.  It was just used eCos 'net' template to build the
library and tests. I hope they will work. If anyone is interested I have
small patch and draft makefile to build PolarSSL for eCos.

Sergei

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: PolarSSL [Was: On Porting OpenSSL v1.0.0c]

[Sergei Gavrikov]

On Thu, 9 Dec 2010, Sergei Gavrikov wrote:

> [Fork thread]
> 
> FYI: SSL for silly H/W
> 
> Michael Bergandi wrote:
> > Sergei,
> > 
> > Sergei Gavrikov wrote:
> > > My 2 cents:
> > >
> > > I would look at PolarSSL
> > > 1) http://polarssl.org/features
> > > 2) http://polarssl.org/licensing
> > >
> > > IMO, point #2 is valuable thing to port PolarSSL to eCos.
> > 
> > Looks Ok, but I see no mention of an interface to encryption
> > hardware accelerators.  That is a big sticking point for us.
> 
> Michael, I get it. Excuse this fork, maybe it's interesting to know.
> 
> As an getting the 'libpolarssl.a' for eCos took only 10 minutes
> (project follows great coding style) and library's size was <160K, I
> will stick on it and I hope I will try to test it this weekend.
> However, this was my first look.
> 
> At least I got 3 simple SSL (PolarSSL) execs for eCos (2 clients and 1
> server) for testing.  It was just used eCos 'net' template to build
> the library and tests. I hope they will work. If anyone is interested
> I have small patch and draft makefile to build PolarSSL for eCos.

Hi,

Well, as I promised to test, short report is here. PolarSSL 'ssl_server'
quite works under eCos (tested on Linux synthetic target).

The encrypted connections with the server were established using Mozilla
Firefox 3.6, 4.0 beta; Google Chrome 8.0 beta; w3m/0.5.2. I'm sorry, I
have not IEs.

I would mention also that you can test PolarSSL executables are built
for your hosts (Lunux or Windows).

On my look port PolarSSL to eCos would be straightforward, but, now
I have some doubts about it's license (all sources point on GPL only).

Sergei

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] PolarSSL [Was: On Porting OpenSSL v1.0.0c]

[Michael Bergandi]

Hey Sergei,

> At least I got 3 simple SSL (PolarSSL) execs for eCos (2 clients and 1
> server) for testing.  It was just used eCos 'net' template to build the
> library and tests. I hope they will work. If anyone is interested I have
> small patch and draft makefile to build PolarSSL for eCos.
>

I would still be interested in seeing what you did to get it going for eCos.
Could you send me what you have?

Thanks,

Mike

--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: On Porting OpenSSL v1.0.0c

[Sergei Gavrikov]

On Tue, 14 Dec 2010, John Dallaway wrote:

> <aside>
> Is there any interest in using SSL with the lwIP TCP/IP stack? Perhaps
> someone has already got this combination working?
> </aside>

Hi All,
hi John:

Since I have got a preliminary draft PolarSSL EPK I knew that only one
its source file (library/net.c) depends on BSD sockets, so, it seems for
me that with new one implementation (net_lwip.c?) it will be possible to
build SSL client/server using CYGPKG_NET_LWIP. I added this to my TO-DO
list.

Sergei

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

RE: [ECOS] RE: On Porting OpenSSL v1.0.0c

[Retallack, Mark]

Hi all

I have placed the port of Open SSL 0.9.8o at:

http://www.retallack.org.uk/files/openssl0.9.8o-ecos.tar.gz 

Please note, standard disclaimers etc... use at your own risk. Hopefully someone will find it useful. 

It still needs a few changes before being ready for full use:

* Changelog needs updating, (have not updated to show change to 0.9.8o from 0.9.7m.
* Remove unwanted files
* Clean up RAND calcs, currently uses time(), this needs to be more platform independent.
* Update tests
* Update Docs

Mark.

-----Original Message-----
From: ecos-discuss-owner@ecos.sourceware.org [mailto:ecos-discuss-owner@ecos.sourceware.org] On Behalf Of Retallack, Mark
Sent: 15 December 2010 08:32
To: 'John Dallaway'
Cc: 'eCos Discussion'
Subject: [ECOS] RE: On Porting OpenSSL v1.0.0c

Hi all, 

-----Original Message-----
From: John Dallaway [mailto:john@dallaway.org.uk] 
Sent: 14 December 2010 09:35
To: Retallack, Mark; 'Michael Bergandi'; Sergei Gavrikov
Cc: eCos Discussion
Subject: Re: On Porting OpenSSL v1.0.0c

Hi Mike, Mark, Sergei and all

Mark wrote:

> I have updated the original OpenSSL v0.9.6b to a later version (0.9.8o),
> which was released in June 2010. It has been on my todo list to get it
> cleaned up and generate a patch. If you are interested in that version,
> I can tar.gz the files and send them to you.

Mike wrote:

> The project I am working on will be using SSL to provide a secure web
> interface for device configuration. In addition, we want to leverage
> the encryption module on our processor (mx27) to get some hardware
> acceleration for our other encryption needs. The ENGINE interface, in
> particular, is the primary reason for our desire to go ahead and port
> the latest OpenSSL to eCos.

Sergei wrote:

> I would look at PolarSSL
> 1) http://polarssl.org/features

>
>
>It looks like there is certainly interest in an up-to-date free SSL
>implementation for eCos. Configurability, licensing and ease-of-update
>are key factors here. It would be interesting to compare the sizes of
>PolarSSL and OpenSSL when configured with the same feature set. OpenSSL
>licensing is certainly more flexible than the open source PolarSSL
>license for deployment in commercial embedded systems.
>
>Mark, was there much effort involved in updating Andrew Lunn's original
>port of OpenSSL v0.9.6b? The version numbering suggests no major changes.
>
>Does anyone have up-to-date information (with reference) on the
>restrictions for hosting this class of cryptographic source code on a
>publically-accessible server located in the United States?
>
><aside>
>Is there any interest in using SSL with the lwIP TCP/IP stack? Perhaps
>someone has already got this combination working?
></aside>
>
>John Dallaway
>eCos maintainer

-------------------------------------------------

We did look at using the version 1x stream of OpenSSL but found that the changes from the original port where complex, the Port of OpenSSL 0.9.8o was relatively simple. The code layout was mostly the same and it just slotted in (with a bit of extra plumbing). 

I have tar-gz'ed the code and just looking for a place to put it (it is quite large so don't want to attach to maillist email), in the mean time if anyone wants it just send me an email. 

I think someone else mentioned this already but there are 2 Security Advisorys out on 0.9.8o. 

Mark


-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss


--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] RE: On Porting OpenSSL v1.0.0c

[Retallack, Mark]

Hi all, 

-----Original Message-----
From: John Dallaway [mailto:john@dallaway.org.uk] 
Sent: 14 December 2010 09:35
To: Retallack, Mark; 'Michael Bergandi'; Sergei Gavrikov
Cc: eCos Discussion
Subject: Re: On Porting OpenSSL v1.0.0c

Hi Mike, Mark, Sergei and all

Mark wrote:

> I have updated the original OpenSSL v0.9.6b to a later version (0.9.8o),
> which was released in June 2010. It has been on my todo list to get it
> cleaned up and generate a patch. If you are interested in that version,
> I can tar.gz the files and send them to you.

Mike wrote:

> The project I am working on will be using SSL to provide a secure web
> interface for device configuration. In addition, we want to leverage
> the encryption module on our processor (mx27) to get some hardware
> acceleration for our other encryption needs. The ENGINE interface, in
> particular, is the primary reason for our desire to go ahead and port
> the latest OpenSSL to eCos.

Sergei wrote:

> I would look at PolarSSL
> 1) http://polarssl.org/features

>
>
>It looks like there is certainly interest in an up-to-date free SSL
>implementation for eCos. Configurability, licensing and ease-of-update
>are key factors here. It would be interesting to compare the sizes of
>PolarSSL and OpenSSL when configured with the same feature set. OpenSSL
>licensing is certainly more flexible than the open source PolarSSL
>license for deployment in commercial embedded systems.
>
>Mark, was there much effort involved in updating Andrew Lunn's original
>port of OpenSSL v0.9.6b? The version numbering suggests no major changes.
>
>Does anyone have up-to-date information (with reference) on the
>restrictions for hosting this class of cryptographic source code on a
>publically-accessible server located in the United States?
>
><aside>
>Is there any interest in using SSL with the lwIP TCP/IP stack? Perhaps
>someone has already got this combination working?
></aside>
>
>John Dallaway
>eCos maintainer

-------------------------------------------------

We did look at using the version 1x stream of OpenSSL but found that the changes from the original port where complex, the Port of OpenSSL 0.9.8o was relatively simple. The code layout was mostly the same and it just slotted in (with a bit of extra plumbing). 

I have tar-gz'ed the code and just looking for a place to put it (it is quite large so don't want to attach to maillist email), in the mean time if anyone wants it just send me an email. 

I think someone else mentioned this already but there are 2 Security Advisorys out on 0.9.8o. 

Mark


--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: On Porting OpenSSL v1.0.0c

[John Dallaway]

Hi Sergei

Sergei Gavrikov wrote:

> If we can have only the 3rd party crypto packages, that's good to have
> different alternatives.  And 2-3 alternatives is not too much :-)
> 
> Well, as I said 'A', I will work on CYGPKG_POLARSSL. Certainly, that will
> be movements only in porting and testing. I am not expert in the field of
> cryptography.

Great! If the PolarSSL footprint is significantly smaller than OpenSSL
with an equivalent feature set configured, then your port could prove to
be very useful for projects where the unmodified GPL is not an issue, or
for projects where a commercial PolarSSL license makes sense.

John Dallaway

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: On Porting OpenSSL v1.0.0c

[John Dallaway]

Ross Younger wrote:

> John Dallaway <john@dallaway.org.uk> wrote:
> 
>> Does anyone have up-to-date information (with reference) on the
>> restrictions for hosting this class of cryptographic source code on a
>> publically-accessible server located in the United States?
> 
> The Debian project researched the situation a few years ago - with legal
> assistance - and consequently decided to integrate crypto with their
> main distribution, jump through a few hoops to notify the US government
> about it, and stop maintaining their non-US crypto download site.
> http://www.debian.org/legal/cryptoinmain has information.

Ross, that's exactly the sort of information I was looking for. Thank you!

All, the eCos maintainers would need to make some sort of formal policy
decision at some point if we are to ever import SSL source code into the
eCos repository. However, this should not prevent or discourage
collaboration on new/updated SSL ports for eCos.

John Dallaway
eCos maintainer

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: On Porting OpenSSL v1.0.0c

[Sergei Gavrikov]

On Tue, 14 Dec 2010, John Dallaway wrote:

> ... It would be interesting to compare the sizes of PolarSSL and
> OpenSSL when configured with the same feature set.

Hi John,

I built and tried PolarSSL on eCos Linux synthetic target, but, that was
external build with its default settings. I know size of got stuff. But,
it seems I need to get CDLized PolarSSL (CYGPKG_POLARSSL eCos package)
for such a comparison (and at first, the Andrew's port of OpenSSL would
be used).  However, in my opinion, that's not very important (I'm about
sizes). The main your Q was Can future eCos releases have 'net/*ssl'
packages out the box at all?  And I'm still having doubts... If we can
have only the 3rd party crypto packages, that's good to have different
alternatives.  And 2-3 alternatives is not too much :-)

Well, as I said 'A', I will work on CYGPKG_POLARSSL. Certainly, that will
be movements only in porting and testing. I am not expert in the field of
cryptography.

Sergei

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] Re: On Porting OpenSSL v1.0.0c

[Sergei Gavrikov]

On Tue, 14 Dec 2010, Ross Younger wrote:

> * John Dallaway <john@dallaway.org.uk> wrote:
...
> > Does anyone have up-to-date information (with reference) on the
> > restrictions for hosting this class of cryptographic source code on a
> > publically-accessible server located in the United States?
> 
> The Debian project researched the situation a few years ago - with legal
> assistance - and consequently decided to integrate crypto with their
> main distribution, jump through a few hoops to notify the US government
> about it, and stop maintaining their non-US crypto download site.
> http://www.debian.org/legal/cryptoinmain has information.

They rock! And what's about RedHat (our nearest public hop :-)? I found
answer here http://www.openssl.org/support/faq.html#BUILD8

It was interested to know that expiry dates for patents exist! (IANAL,
but, on my look today RC5 is issue only). 

Sergei

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] Re: On Porting OpenSSL v1.0.0c

[Ross Younger]

* John Dallaway <john@dallaway.org.uk> wrote:
> Mark, was there much effort involved in updating Andrew Lunn's original
> port of OpenSSL v0.9.6b? The version numbering suggests no major changes.

There were an awful lot of changes; that range spans almost nine
years of development. See http://www.openssl.org/news/changelog.html
for full details.  (BTW, OpenSSL release numbering doesn't follow the
traditional major.minor.patch inaming scheme; it might be better described
as major.submajor.minor[patch].)

By the way, 0.9.8o is the subject of two recent security advisories;
anybody using it in a real project ought to upgrade to 0.9.8q or at
the very least read the advisories carefully and consider applying the
patches given within. (Indeed, anybody using OpenSSL in a real project
ought at the very least to subscribe to openssl-announce.)


> Does anyone have up-to-date information (with reference) on the
> restrictions for hosting this class of cryptographic source code on a
> publically-accessible server located in the United States?

The Debian project researched the situation a few years ago - with legal
assistance - and consequently decided to integrate crypto with their
main distribution, jump through a few hoops to notify the US government
about it, and stop maintaining their non-US crypto download site.
http://www.debian.org/legal/cryptoinmain has information.


Ross

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

[ECOS] Re: On Porting OpenSSL v1.0.0c

[John Dallaway]

Hi Mike, Mark, Sergei and all

Mark wrote:

> I have updated the original OpenSSL v0.9.6b to a later version (0.9.8o),
> which was released in June 2010. It has been on my todo list to get it
> cleaned up and generate a patch. If you are interested in that version,
> I can tar.gz the files and send them to you.

Mike wrote:

> The project I am working on will be using SSL to provide a secure web
> interface for device configuration. In addition, we want to leverage
> the encryption module on our processor (mx27) to get some hardware
> acceleration for our other encryption needs. The ENGINE interface, in
> particular, is the primary reason for our desire to go ahead and port
> the latest OpenSSL to eCos.

Sergei wrote:

> I would look at PolarSSL
> 1) http://polarssl.org/features

It looks like there is certainly interest in an up-to-date free SSL
implementation for eCos. Configurability, licensing and ease-of-update
are key factors here. It would be interesting to compare the sizes of
PolarSSL and OpenSSL when configured with the same feature set. OpenSSL
licensing is certainly more flexible than the open source PolarSSL
license for deployment in commercial embedded systems.

Mark, was there much effort involved in updating Andrew Lunn's original
port of OpenSSL v0.9.6b? The version numbering suggests no major changes.

Does anyone have up-to-date information (with reference) on the
restrictions for hosting this class of cryptographic source code on a
publically-accessible server located in the United States?

<aside>
Is there any interest in using SSL with the lwIP TCP/IP stack? Perhaps
someone has already got this combination working?
</aside>

John Dallaway
eCos maintainer

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss