can we port OPENSSL into FREEBSD kernel? just the TLSV1 stack alone

I am looking for porting the OPENSSL to kernel with or without the crypto engine support available in FREEBSD 9.1. can u advice if it is possible? if it is possible, what is the minimum set of files required for porting the TLSV1 alone?

Thanks
Krishna Mohan.
ekrishnamohanAsked:
Who is Participating?
 
arnoldCommented:
The existence of the stack within the kernel points to any application requiringSSL functionality will communicate with the kernel. Exposing ...
Why not use it as intended?   I do not beleive there is any benefit of having openssl reside within the kernel space. You increase risks/attack vector.

It is one thing to migrate a device driver into a kernel built-in given it operates within the kernel space already.

Look at openssl.conf  and limiting ciphers.
http://www.openssl.org/docs/apps/ciphers.html
0
 
Dave BaldwinFixer of ProblemsCommented:
Are you sure it's not already there?  http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html#openssl   If it is not, you should be able to get it thru the Package Manager which will make sure that you get a compatible version.
0
 
ekrishnamohanAuthor Commented:
HI Dave,
   it is not there for kernel. I am looking porting openssl only to kernel.

THanks
Krishna Mohan.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
arnoldCommented:
Openssl deals with encryption methods and , TLS is an application level transport method
What application do you want to limit to tlsv1 versus both TLS/SSLv2, v3?
0
 
Dave BaldwinFixer of ProblemsCommented:
From http://www.openssl.org/ ...
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
It is usually included with most Linux distributions to implement those functions.  OpenSSL version 0.9.8 is included with FREEBSD 9.1.
http://www.freebsd.org/releases/9.1R/relnotes-detailed.html
0
 
ekrishnamohanAuthor Commented:
Dear Arnold,
    We want to port it to the kernel. As of now, it is available in user space. We would like to support only TLSV1 with NIST cipher list as bare minimum. For this, we needed help to find if it is feasible, if feasible how we can do it.

Thanks
Krishna Mohan.
0
 
arnoldCommented:
Disabling cyphers is part of the config within openssl.conf.

I am not sure why you would want to place/integrate openssl into the kernel.
An old discussion just on this matter
http://marc.info/?l=openssl-users&m=97931343106136

What do you think/hope to achieve?
Openssl is more of a library on which other applications rely/depend to add certain functionality.
Updates to openssl at times occur frequently.  This will require a rapid update to the kernel.
0
 
ekrishnamohanAuthor Commented:
HI Arnold,
     Thanks for the pointer in openssl-users mail chain. This is for a storage box to act as SSL Server. Sorry for not disclosing company details. Due to performance reasons, we would like the SSL stack to be in kernel. I didn't see any risks with ciphers being ported to kernel. Porting looks like tough with SSL stack. I am looking for porting the entire openssl/partial set which supports NIST cipher list to kernel, though updating risks are present. Even if there is a alternate to openssl, we are open to try it out.

Thanks in advance
Krishna Mohan.
0
 
Dave BaldwinFixer of ProblemsCommented:
What is an "SSL Server"?  SSL/TLS are for encrypting network communications.  There is also the matter of generating and validating SSL/TLS certificates.  ??
0
 
ekrishnamohanAuthor Commented:
I didn't got full solution. Part is answered.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.