On 11/15/10 18:21, Jim Starkey wrote:

> On 11/15/2010 6:07 AM, Paul Ruizendaal wrote:
>> The most popular API is that of OpenSSL: other implementations tend to use
>> that API as to be an easy substitute. OpenSSL is a big package (1MB
>> binary), a smaller choice is yassl (GPL, 200KB binary):
>> http://www.yassl.com/
>> I guess running the existing FB wire protocol over TLS would fix a lot of
>> concerns. Assuming NimbusDB can't use GPL, yassl sell source code licenses
>> for $5,000.
>>
> There's a licensing problem with yassl and Firebird. Yassl is GPL with
> a FOSS exclusion, but the FOSS exclusion is the MySQL / Oracle FOSS
> exclusion, which has an explicit list of acceptable FOSS licenses.
> Needless to say, neither the IDPL or the IPL are listed. Maybe you
> could talk to Larry Ellison about including Firebird...
>
> As for NimbusDB, I think I'm happy with the client sending a session key
> encrypted with the hash of the password. No additional round trips, no
> expensive RSA encryption, decryption, no man in the middle issue, though
> I'm still pondering the issue.

Unfortunately this method has one limitation. You suppose that client
sends to the server login (to make server know the hash of password) and
knows password, entered by client. But firebird does not require only
login/password authentication, it already has windows trusted
authentication, where only security context from client is sent to
server and CURRENT_USER name becomes known at server site from OS. With
this schema (rather reliable, BTW, from security POV) client does not
have something to crypt session key.