Re: [Lurk] lurk integration with openssl

Jesús Alberto Polo <ietf@jesusalberto.me> Tue, 24 April 2018 15:10 UTC

Return-Path: <ietf@jesusalberto.me>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF6212D880 for <lurk@ietfa.amsl.com>; Tue, 24 Apr 2018 08:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pS9yf8FDLzUO for <lurk@ietfa.amsl.com>; Tue, 24 Apr 2018 08:10:55 -0700 (PDT)
Received: from fnsib-smtp02.srv.cat (fnsib-smtp02.srv.cat [46.16.60.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04730129C6B for <lurk@ietf.org>; Tue, 24 Apr 2018 08:10:54 -0700 (PDT)
Received: from [172.20.10.2] (unknown [47.59.127.225]) by fnsib-smtp02.srv.cat (Postfix) with ESMTPSA id 24BEB1F3090; Tue, 24 Apr 2018 17:10:51 +0200 (CEST)
Date: Tue, 24 Apr 2018 17:10:31 +0200
From: =?utf-8?Q?Jes=C3=BAs_Alberto_Polo?= <ietf@jesusalberto.me>
To: Dmitry Kravkov <dmitryk@qwilt.com>, Daniel Migault <daniel.migault@ericsson.com>
Cc: LURK BoF <lurk@ietf.org>
Message-ID: <fc8cdf45-9d4b-4840-9943-082db7538eef@Spark>
In-Reply-To: <CAAvCjhggLfVZwDbFuLpek0_T=VAryQVF8vFQH2mgvrVK0sJnGQ@mail.gmail.com>
References: <CADZyTkmgW89C_hEYbuM2iVRADLGt47q2SMDqbWXMVLiYo9VtSw@mail.gmail.com> <CAAvCjhggLfVZwDbFuLpek0_T=VAryQVF8vFQH2mgvrVK0sJnGQ@mail.gmail.com>
X-Readdle-Message-ID: fc8cdf45-9d4b-4840-9943-082db7538eef@Spark
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5adf48fa_721da317_3f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/jIW6vZngX4M4E0Z_XEMe0iU2v3w>
Subject: Re: [Lurk] lurk integration with openssl
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 15:10:57 -0000

Hi,

Thanks for the resources and the patch, it’s definitely easier to solve it the way you did in the hackathon.

I managed to integrate the basic functionality of LURK for ECDHE and I’m preparing some tests, I hope they’re done and the code cleaned up by the end of this week.

Regarding the TLS12ECDHERequestPayload [1], I think the Signature Algorithm field is missing (hash and signature), to indicate the chosen algorithms for the TLS connection.

Best regards,

Jesús Alberto

[1] https://tools.ietf.org/html/draft-mglt-lurk-tls12-00#section-7.1

On 22 Apr 2018, 12:08 +0200, Dmitry Kravkov <dmitryk@qwilt.com>om>, wrote:
> Hi Jesus Alberto,
>
> this is a patch for openssl used during 101 hackathon
>
> It looks that direct calling for lurk library from statemachine will be hard to push upstream, but adding more callbacks for master secret calculation that nginx (or other client) registers for,  will be easier to submit.
>
>
> > On Fri, Apr 20, 2018 at 9:26 PM Daniel Migault <daniel.migault@ericsson.com> wrote:
> > > Hi Jesus Alberto,
> > >
> > > There have been some discussions regarding the integration of lurk with openssl during the hackathon, so feel free to share your concerns on the mailing list..
> > >
> > > Here are some links you might find of interest:
> > >
> > > https://www.agwa.name/blog/post/protecting_the_openssl_private_key_in_a_separate_process
> > > https://www.agwa.name/blog/post/titus_isolation_techniques_continued
> > >
> > > Yours,
> > > Daniel
> > >
> > >
> > >
> > > _______________________________________________
> > > Lurk mailing list
> > > Lurk@ietf.org
> > > https://www.ietf.org/mailman/listinfo/lurk
> --
> Dmitry Kravkov
> Qwilt | Work: +972-72-2221630 | Mobile: +972-54-4839923
> dmitrykATqwilt.com