[Info-vax] OpenSSL CSWS-2.2-1
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Apr 8 13:23:55 EDT 2019
On 2019-04-07 02:59:52 +0000, Craig A. Berry said:
> On 4/6/19 8:58 PM, Stephen Hoffman wrote:
>> So we have CSWS, which everybody obviously knows is a web server.
>
> Not just a web server, but a secure web server from a company named
> Compaq that never knew anything about servers or security.
CSWS, SWB, the oddly-named-and-why-are-these-even-separate Apache
language modules, T4, etc.
Terms such as LP and "host-based volume shadowing", for that matter.
LMF, PAKs, etc.
Process has similar issues with the lack of references to "firewall" in
their Multinet docs, IIRC.
There's "autogen", which by all appearances neither autos nor gens, and
with a name that is clear if you knew RSX-11. Why that even still
exists is another discussion.
This certainly isn't going to change for existing environments, but
OpenVMS folks are way too fond of OpenVMS-isms in naming, in
documentation, and in API designs.
Common terms are helpful, both to existing users and particularly to new users.
>> This particular mess is also why I've commented around the lack of an
>> API for OpenVMS that masks these differences and that makes creating a
>> secure network connection rather less of a project than is currently
>> involved. I've pointed to Secure Transport and similar approaches as
>> one of various examples from other platforms that have sought to reduce
>> or to isolate SSL-level differences from the application developers.
>>
>> Alternatives to OpenSSL include NaCl and libtls, among others.
>
> Some VMS-friendly wrapper functions might be nice. But as far as the
> underlying crypto, it would be unwise for VSI to roll any of that on
> their own.
Wouldn't suggest home-grown cryptography. That often ends badly. As
for wrapping, that's what the Apple frameworks provide. Secure
Transport, the Network Framework, etc., wrap libtls, as well as dealing
with DNS and sockets and certificates.
https://developer.apple.com/security/
Do I expect VSI to crib Apple here? No. I reference this so that
folks can see what's been happening in the past decade or two; in the
era since the OpenVMS frameworks have been substantially updated.
And as I've commented elsewhere, go try writing a secure network
connection using DNS, and self-signed root certificate authority and
certificates and CSRs, and sockets. Now work through the failure modes
and the attacks, and "minor" details such as certificate renewals.
Apps with errors and vulnerabilities are probably the norm here, too.
Now make this work with IPv6.
Apple's been rolling all of this right into their networking framework,
past what Secure Transport provides. As have other folks, I'd expect.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list