[Vm-dev] SSLPlugin

Tobias Pape Das.Linux at gmx.de
Fri Jun 24 21:46:38 UTC 2016 

Hi Eliot,

On 24.06.2016, at 23:24, Eliot Miranda <eliot.miranda at gmail.com> wrote:

> Hi Tobias,
> 
> On Fri, Jun 24, 2016 at 1:48 PM, Tobias Pape <Das.Linux at gmx.de> wrote:
> 
> 
> On 24.06.2016, at 22:15, Eliot Miranda <eliot.miranda at gmail.com> wrote:
> 
> > Hi All,
> >
> >     now that we're on github would those who build the SSLPlugin be willing to fold in their build to the standard VM builds so that SSLPlugin is built alongside the others?
> 
> On principle, yes.
> It's hairy, still (see other mail)
> 
> got a link?

http://forum.world.st/Fetch-zip-file-from-web-unzip-save-constituent-parts-tp4901282p4901516.html

>  Why is it hairy?

I statically link libressl to evade the different so-names of centos vs debian.

>  Isn't it just a matter of updating HowToBuild with instructions, and then updating makefiles etc to build the same way that SSLPlugin is built?  If it's in the other mail, just post a link to the mail.  It passed me by and I don't see it.

The problem here is pulling in the Dependency for Linux, 
LibreSSL.

[tl;dr: I'm still trying to re-write some parts of SqueakSSL]


What's more, I am dissatisfied with "vanilla" openssl as the api to tackle.

This is the code Levente wrote to extract the subjectAlternateName(s) (SAN) from the certificate sent by 
the server on connect:

	https://github.com/squeak-smalltalk/squeakssl/pull/3/files#diff-9e4c3c0adfa49a82c47f778e7555b185R151

, in order to verify it. This code is correct and Levente as always did a good job here.
But I liked it more he did not have to write it in the first place.

You know what the way of SChannel(win) and SecureTransport(macOS) is?
Pass the server name on connect to the Lib. It then handles SAN and SNI. 
That's how it has to be, because we do not know enough about crypto to get
it right.

So My plan for the Unix plugin is to go with the libtls api of LibreSSL,
which wraps the OpenSSL-API behind quite foolproof. You do SAN and SNI by
passing the server-name on connect. Sounds familiar? Right :D.

Only problem: Squeak has Socket and SqueakSSL nicely-decoupled, so there's
no way to just pass the socket or some fd from one to the other, and libtls
is not yet fit for that.

Hence I want to contribute to LibreSSL/libtls a way to do a conntect with 
r/w-callbacks, which should fit our architecture


[/end]


> 

Other than that, stuff is in https://github.com/squeak-smalltalk/squeakssl 
and should actually match the tree in opensmalltalk-vm.


Best and thanks for listening
	-Tobias [Writing C again X-O ]

> thx!!
> 
> P.S.  Loving the amount of energy and activity in our communities right now.  Lovely!!
> _,,,^..^,,,_
> best, Eliot

More information about the Vm-dev mailing list