an experiment using mbed TLS
I wanted to see what it would take to use mbed tls with dillo. I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day. That said, it looks like netsurf uses curl, and curl can use any tls library you care to mention. And I'm pretty sure netsurf does javascript.
Hi, On Sun, Jun 19, 2016 at 08:48:28PM +0000, eocene wrote:
I wanted to see what it would take to use mbed tls with dillo.
I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day.
What's the main point/difference in using mbedtls vs OpenSSL?
That said, it looks like netsurf uses curl, and curl can use any tls library you care to mention. And I'm pretty sure netsurf does javascript.
Sorry, I don't get the point here. -- Cheers Jorge.-
What's the main point/difference in using mbedtls vs OpenSSL?
OpenSSL is such a notorious nightmare--one gets the distinct impression that the developers have not taken their responsibility seriously--that I was curious to try a different one that is supposed to be more comprehensible. mbed tls had been on my mind as something I might want to try someday after they implement OCSP stapling, but then I was just in the mood for it the other day. As for how practical it would ever be to have this code in the real dillo someday, I think that comes down to: How good are distributions at making security updates available for their more obscure packages?
That said, it looks like netsurf uses curl, and curl can use any tls library you care to mention. And I'm pretty sure netsurf does javascript.
Sorry, I don't get the point here.
I was thinking how if someone did get the idea in their head that they wanted a small browser that works with mbed tls, dillo might not be the first choice.
I wrote:
As for how practical it would ever be to have this code in the real dillo someday, I think that comes down to: How good are distributions at making security updates available for their more obscure packages?
I realized this is an exceedingly trivial concern when compared with the fact that distributions have configured dillo with --enable-ssl for years despite the state of the old dpi and our all-caps warnings, thereby causing users to trust something they shouldn't.
On Sun, Jun 19, 2016 at 08:48:28PM +0000, eocene wrote:
I wanted to see what it would take to use mbed tls with dillo.
I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day.
Excellent. I like mbedtls (formerly known as PolarSSL). The code looks much saner to me than openssl. Cheers, Johannes
On Mon, Jun 20, 2016 at 10:10:54AM +0200, Johannes Hofmann wrote:
On Sun, Jun 19, 2016 at 08:48:28PM +0000, eocene wrote:
I wanted to see what it would take to use mbed tls with dillo.
I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day.
Excellent. I like mbedtls (formerly known as PolarSSL). The code looks much saner to me than openssl.
If you both agree it's a better lib than OpenSSL, +1. -- Cheers Jorge.-
Jorge wrote:
On Mon, Jun 20, 2016 at 10:10:54AM +0200, Johannes Hofmann wrote:
On Sun, Jun 19, 2016 at 08:48:28PM +0000, eocene wrote:
I wanted to see what it would take to use mbed tls with dillo.
I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day.
Excellent. I like mbedtls (formerly known as PolarSSL). The code looks much saner to me than openssl.
If you both agree it's a better lib than OpenSSL, +1.
All right, then. *commits* If you need mbed TLS 2.x: https://tls.mbed.org/download If you watch the MSGs, you'll see I've turned off the certificate chain printing and instead show a more concise summary at shutdown of which root certificates were used to verify communication with which servers. And at startup it'll tell you how many such certificates you are trusting. By default, I had 174, but I've trimmed them down on this computer to...twenty at the moment because I never need the ones from certificate authorities in China, Turkey, Hungary, etc.
On Sun, 3 Jul 2016 16:37:56 +0000 eocene <eocene at gmx.com> wrote:
Jorge wrote:
On Mon, Jun 20, 2016 at 10:10:54AM +0200, Johannes Hofmann wrote:
On Sun, Jun 19, 2016 at 08:48:28PM +0000, eocene wrote:
I wanted to see what it would take to use mbed tls with dillo.
I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day.
Excellent. I like mbedtls (formerly known as PolarSSL). The code looks much saner to me than openssl.
If you both agree it's a better lib than OpenSSL, +1.
All right, then. *commits*
If you need mbed TLS 2.x: https://tls.mbed.org/download
Ha ha.... that got me. I updated Dillo, and found SSL sites don't work. So I clicked on the above link... doesn't work as it is SSL :) Nick -- Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who "Androids of Tara"
On Sun, 3 Jul 2016 19:03:42 +0100 Nick Warne <nick at linicks.net> wrote:
On Sun, 3 Jul 2016 16:37:56 +0000 eocene <eocene at gmx.com> wrote:
Jorge wrote:
On Mon, Jun 20, 2016 at 10:10:54AM +0200, Johannes Hofmann wrote:
On Sun, Jun 19, 2016 at 08:48:28PM +0000, eocene wrote:
I wanted to see what it would take to use mbed tls with dillo.
I put a copy of the diff at http://www.dillo.org/test/mbedtls.diff and I mention it here in case someone should want that one day.
Excellent. I like mbedtls (formerly known as PolarSSL). The code looks much saner to me than openssl.
If you both agree it's a better lib than OpenSSL, +1.
All right, then. *commits*
If you need mbed TLS 2.x: https://tls.mbed.org/download
Ha ha.... that got me. I updated Dillo, and found SSL sites don't work. So I clicked on the above link... doesn't work as it is SSL :)
OK, what do I need to do to build this after an hour of head scratching: checking mbedtls/ssl.h usability... no checking mbedtls/ssl.h presence... yes configure: WARNING: mbedtls/ssl.h: present but cannot be compiled configure: WARNING: mbedtls/ssl.h: check for missing prerequisite headers? configure: WARNING: mbedtls/ssl.h: see the Autoconf documentation configure: WARNING: mbedtls/ssl.h: section "Present But Cannot Be Compiled" configure: WARNING: mbedtls/ssl.h: proceeding with the compiler's result checking for mbedtls/ssl.h... no configure: WARNING: *** mbed TLS 2 not found. Disabling SSL/HTTPS/TLS support. *** Thanks, Nick -- Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who "Androids of Tara"
Nick wrote:
OK, what do I need to do to build this after an hour of head scratching:
checking mbedtls/ssl.h usability... no checking mbedtls/ssl.h presence... yes configure: WARNING: mbedtls/ssl.h: present but cannot be compiled configure: WARNING: mbedtls/ssl.h: check for missing prerequisite headers? configure: WARNING: mbedtls/ssl.h: see the Autoconf documentation configure: WARNING: mbedtls/ssl.h: section "Present But Cannot Be Compiled" configure: WARNING: mbedtls/ssl.h: proceeding with the compiler's result checking for mbedtls/ssl.h... no configure: WARNING: *** mbed TLS 2 not found. Disabling SSL/HTTPS/TLS support. ***
IIRC, Jeremy was the closest we had to an autoconf expert, but he hasn't been around. Is anything interesting in the mbedtls region of the config.log file? I don't remember ever seeing quite that sort of set of warnings out of autoconf before.
I wrote:
Nick wrote:
OK, what do I need to do to build this after an hour of head scratching:
checking mbedtls/ssl.h usability... no checking mbedtls/ssl.h presence... yes configure: WARNING: mbedtls/ssl.h: present but cannot be compiled configure: WARNING: mbedtls/ssl.h: check for missing prerequisite headers? configure: WARNING: mbedtls/ssl.h: see the Autoconf documentation configure: WARNING: mbedtls/ssl.h: section "Present But Cannot Be Compiled" configure: WARNING: mbedtls/ssl.h: proceeding with the compiler's result checking for mbedtls/ssl.h... no configure: WARNING: *** mbed TLS 2 not found. Disabling SSL/HTTPS/TLS support. ***
IIRC, Jeremy was the closest we had to an autoconf expert, but he hasn't been around.
Is anything interesting in the mbedtls region of the config.log file?
I don't remember ever seeing quite that sort of set of warnings out of autoconf before.
I was able to reproduce the problem by uninstalling mbed tls and then pointing to it during configuration with CPPFLAGS to the include dir and LDFLAGS to the lib dir. Making the attached changes makes it succeed, although I've only gotten just that far at the moment and haven't looked into whether it's an error on their part or what...
I wrote:
I wrote:
Nick wrote:
OK, what do I need to do to build this after an hour of head scratching:
checking mbedtls/ssl.h usability... no checking mbedtls/ssl.h presence... yes configure: WARNING: mbedtls/ssl.h: present but cannot be compiled configure: WARNING: mbedtls/ssl.h: check for missing prerequisite headers? configure: WARNING: mbedtls/ssl.h: see the Autoconf documentation configure: WARNING: mbedtls/ssl.h: section "Present But Cannot Be Compiled" configure: WARNING: mbedtls/ssl.h: proceeding with the compiler's result checking for mbedtls/ssl.h... no configure: WARNING: *** mbed TLS 2 not found. Disabling SSL/HTTPS/TLS support. ***
IIRC, Jeremy was the closest we had to an autoconf expert, but he hasn't been around.
Is anything interesting in the mbedtls region of the config.log file?
I don't remember ever seeing quite that sort of set of warnings out of autoconf before.
I was able to reproduce the problem by uninstalling mbed tls and then pointing to it during configuration with CPPFLAGS to the include dir and LDFLAGS to the lib dir.
Making the attached changes makes it succeed, although I've only gotten just that far at the moment and haven't looked into whether it's an error on their part or what...
On Sun, 3 Jul 2016 21:09:40 +0000 eocene <eocene at gmx.com> wrote:
I wrote:
I wrote:
Nick wrote:
OK, what do I need to do to build this after an hour of head scratching: Making the attached changes makes it succeed, although I've only gotten just that far at the moment and haven't looked into whether it's an error on their part or what...
Good catch - all builds fine now - thanks, Nick -- Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who "Androids of Tara"
On Mon, 4 Jul 2016 06:08:58 +0100 Nick Warne <nick at linicks.net> wrote:
On Sun, 3 Jul 2016 21:09:40 +0000 eocene <eocene at gmx.com> wrote:
I wrote:
I wrote:
Nick wrote:
OK, what do I need to do to build this after an hour of head scratching: Making the attached changes makes it succeed, although I've only gotten just that far at the moment and haven't looked into whether it's an error on their part or what...
Good catch - all builds fine now - thanks,
A bit premature here. I quickly ran ./configure before work and configure worked OK. But tonight, run make, my linker bombed out with: /usr/lib/gcc/i486-slackware-linux/4.8.2/../../../../i486-slackware-linux/bin/ld: cannot find -libmbedtls /usr/lib/gcc/i486-slackware-linux/4.8.2/../../../../i486-slackware-linux/bin/ld: cannot find -libmbedx509 /usr/lib/gcc/i486-slackware-linux/4.8.2/../../../../i486-slackware-linux/bin/ld: cannot find -libmbedcrypto Strange, as ldconfig -v reveals: /usr/local/lib: libmbedcrypto.so.0 -> libmbedcrypto.so.2.3.0 libmbedtls.so.10 -> libmbedtls.so.2.3.0 libmbedx509.so.0 -> libmbedx509.so.2.3.0 Anyway, an hour of investing, it turns out the linker flags are incorrect - changing in configure fixed it up: if test "x$ssl_ok" = "xyes"; then LIBSSL_LIBS="-libmbedtls -libmbedx509 -libmbedcrypto" Should be -lmbedtls, -lmbedx509 and -lmbedcrypto All really does build fine now :) mbedtls seems to work well - seems a tad quicker too. Nick -- Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who "Androids of Tara"
Nick wrote:
A bit premature here. I quickly ran ./configure before work and configure worked OK. But tonight, run make, my linker bombed out with:
/usr/lib/gcc/i486-slackware-linux/4.8.2/../../../../i486-slackware-linux/bin/ld: cannot find -libmbedtls /usr/lib/gcc/i486-slackware-linux/4.8.2/../../../../i486-slackware-linux/bin/ld: cannot find -libmbedx509 /usr/lib/gcc/i486-slackware-linux/4.8.2/../../../../i486-slackware-linux/bin/ld: cannot find -libmbedcrypto
Strange, as ldconfig -v reveals:
/usr/local/lib: libmbedcrypto.so.0 -> libmbedcrypto.so.2.3.0 libmbedtls.so.10 -> libmbedtls.so.2.3.0 libmbedx509.so.0 -> libmbedx509.so.2.3.0
Anyway, an hour of investing, it turns out the linker flags are incorrect - changing in configure fixed it up:
if test "x$ssl_ok" = "xyes"; then LIBSSL_LIBS="-libmbedtls -libmbedx509 -libmbedcrypto"
Should be -lmbedtls, -lmbedx509 and -lmbedcrypto
All really does build fine now :)
mbedtls seems to work well - seems a tad quicker too.
I don't know where you got the "-libmbedtls -libmbedx509 -libmbedcrypto" from. Mine has "-lmbedtls -lmbedx509 -lmbedcrypto", and it says "-lmbedtls -lmbedx509 -lmbedcrypto when I double-check on hg.dillo.org.
On Mon, 4 Jul 2016 17:01:39 +0000 eocene <eocene at gmx.com> wrote:
Nick wrote:
Should be -lmbedtls, -lmbedx509 and -lmbedcrypto
All really does build fine now :)
mbedtls seems to work well - seems a tad quicker too.
I don't know where you got the "-libmbedtls -libmbedx509 -libmbedcrypto" from. Mine has "-lmbedtls -lmbedx509 -lmbedcrypto", and it says "-lmbedtls -lmbedx509 -lmbedcrypto when I double-check on hg.dillo.org.
Ummm. You are right. Maybe I was messing around late last night with the earlier error message - I can't remember now :) Sorry for the noise - all builds and works fine. Nick -- Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who "Androids of Tara"
Hi dillo-dev, Dillo builds just fine on mucosa, especially after I `brew install mbedtls` Problem is that, at start up, it reports Trusting 0 TLS certificates. Any idea how I can install some? It's odd browsing about without https these days. Cheers, On 4 Jul 2016 20:22, "Nick Warne" <nick at linicks.net> wrote:
On Mon, 4 Jul 2016 17:01:39 +0000 eocene <eocene at gmx.com> wrote:
Nick wrote:
Should be -lmbedtls, -lmbedx509 and -lmbedcrypto
All really does build fine now :)
mbedtls seems to work well - seems a tad quicker too.
I don't know where you got the "-libmbedtls -libmbedx509 -libmbedcrypto" from. Mine has "-lmbedtls -lmbedx509 -lmbedcrypto", and it says "-lmbedtls -lmbedx509 -lmbedcrypto when I double-check on hg.dillo.org.
Ummm. You are right. Maybe I was messing around late last night with the earlier error message - I can't remember now :)
Sorry for the noise - all builds and works fine.
Nick -- Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who "Androids of Tara"
_______________________________________________ Dillo-dev mailing list Dillo-dev at dillo.org http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev
Martin wrote:
Dillo builds just fine on mucosa, especially after I `brew install mbedtls`
Problem is that, at start up, it reports Trusting 0 TLS certificates.
Any idea how I can install some? It's odd browsing about without https these days.
Did it work with 3.0.5 or the development branch before the recent change? (Wouldn't expect it to.) Johannes reported success on osx, but I don't know what's customary for getting certificates there... I presume https is "working" but forces you to click on dialogs...?
participants (5)
-
eocene@gmx.com -
jcid@dillo.org -
johannes.hofmann@gmx.de -
matlads@gmail.com -
nick@linicks.net