can we port OPENSSL into FREEBSD kernel? just the TLSV1 stack alone

I am looking for porting the OPENSSL to kernel with or without the crypto engine support available in FREEBSD 9.1. can u advice if it is possible? if it is possible, what is the minimum set of files required for porting the TLSV1 alone?

Thanks
Krishna Mohan.
ekrishnamohanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Are you sure it's not already there?  http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html#openssl   If it is not, you should be able to get it thru the Package Manager which will make sure that you get a compatible version.
ekrishnamohanAuthor Commented:
HI Dave,
   it is not there for kernel. I am looking porting openssl only to kernel.

THanks
Krishna Mohan.
arnoldCommented:
Openssl deals with encryption methods and , TLS is an application level transport method
What application do you want to limit to tlsv1 versus both TLS/SSLv2, v3?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Dave BaldwinFixer of ProblemsCommented:
From http://www.openssl.org/ ...
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
It is usually included with most Linux distributions to implement those functions.  OpenSSL version 0.9.8 is included with FREEBSD 9.1.
http://www.freebsd.org/releases/9.1R/relnotes-detailed.html
ekrishnamohanAuthor Commented:
Dear Arnold,
    We want to port it to the kernel. As of now, it is available in user space. We would like to support only TLSV1 with NIST cipher list as bare minimum. For this, we needed help to find if it is feasible, if feasible how we can do it.

Thanks
Krishna Mohan.
arnoldCommented:
Disabling cyphers is part of the config within openssl.conf.

I am not sure why you would want to place/integrate openssl into the kernel.
An old discussion just on this matter
http://marc.info/?l=openssl-users&m=97931343106136

What do you think/hope to achieve?
Openssl is more of a library on which other applications rely/depend to add certain functionality.
Updates to openssl at times occur frequently.  This will require a rapid update to the kernel.
ekrishnamohanAuthor Commented:
HI Arnold,
     Thanks for the pointer in openssl-users mail chain. This is for a storage box to act as SSL Server. Sorry for not disclosing company details. Due to performance reasons, we would like the SSL stack to be in kernel. I didn't see any risks with ciphers being ported to kernel. Porting looks like tough with SSL stack. I am looking for porting the entire openssl/partial set which supports NIST cipher list to kernel, though updating risks are present. Even if there is a alternate to openssl, we are open to try it out.

Thanks in advance
Krishna Mohan.
arnoldCommented:
The existence of the stack within the kernel points to any application requiringSSL functionality will communicate with the kernel. Exposing ...
Why not use it as intended?   I do not beleive there is any benefit of having openssl reside within the kernel space. You increase risks/attack vector.

It is one thing to migrate a device driver into a kernel built-in given it operates within the kernel space already.

Look at openssl.conf  and limiting ciphers.
http://www.openssl.org/docs/apps/ciphers.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
What is an "SSL Server"?  SSL/TLS are for encrypting network communications.  There is also the matter of generating and validating SSL/TLS certificates.  ??
ekrishnamohanAuthor Commented:
I didn't got full solution. Part is answered.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.