| Subject | Re: [Firebird-Architect] TLS |
|---|---|
| Author | Paul Ruizendaal |
| Post date | 2010-11-15T11:07:57Z |
On Sun, 14 Nov 2010 19:07:57 -0500, Jim Starkey <jstarkey@...>
wrote:
The most popular API is that of OpenSSL: other implementations tend to use
that API as to be an easy substitute. OpenSSL is a big package (1MB
binary), a smaller choice is yassl (GPL, 200KB binary):
http://www.yassl.com/
I guess running the existing FB wire protocol over TLS would fix a lot of
concerns. Assuming NimbusDB can't use GPL, yassl sell source code licenses
for $5,000.
Personally, for security I tend to prefer "old", widely used designs that
have withstood the test of time. Also, considering the embarassing
frequency of exploitable errors in implementations, I tend to prefer "old",
widely used code bases -- hoping that the choices include small, elegant
options.
As an alternative one could consider the SSH2 protocol as an alternative
for FB:
http://en.wikipedia.org/wiki/Secure_Shell
It satisfies my preference for old, proven algorithms and implementations
(OpenSSH), and I rather like the public key fingerprint concept to make
managing certificates more manageable, especially when combined with having
that available as an DNS record. For NimbusDB the below folks seem to have
a non-GPL, 400KB implementation for sale:
http://icon-labs.com/Products/SSH.ASP
Paul
wrote:
> Does anyone have actual experience using TLS? If so, what APIs wereused?
The most popular API is that of OpenSSL: other implementations tend to use
that API as to be an easy substitute. OpenSSL is a big package (1MB
binary), a smaller choice is yassl (GPL, 200KB binary):
http://www.yassl.com/
I guess running the existing FB wire protocol over TLS would fix a lot of
concerns. Assuming NimbusDB can't use GPL, yassl sell source code licenses
for $5,000.
Personally, for security I tend to prefer "old", widely used designs that
have withstood the test of time. Also, considering the embarassing
frequency of exploitable errors in implementations, I tend to prefer "old",
widely used code bases -- hoping that the choices include small, elegant
options.
As an alternative one could consider the SSH2 protocol as an alternative
for FB:
http://en.wikipedia.org/wiki/Secure_Shell
It satisfies my preference for old, proven algorithms and implementations
(OpenSSH), and I rather like the public key fingerprint concept to make
managing certificates more manageable, especially when combined with having
that available as an DNS record. For NimbusDB the below folks seem to have
a non-GPL, 400KB implementation for sale:
http://icon-labs.com/Products/SSH.ASP
Paul