Recent searches

No recent searches

Search options

Only available when logged in.
sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Administered by:

Server stats:

599
active users

sigmoid.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.2

#openssl

0 posts0 participants0 posts today
Felix Palmen :freebsd: :c64:

Just released: #swad 0.12 🥂

swad is the "Simple Web Authentication Daemon". It basically offers adding form + #cookie #authentication to your reverse proxy (designed for and tested with #nginx "auth_request"). I created it mainly to defend against #malicious_bots, so among other credential checker modules for "real" logins, it offers a proof-of-work mechanism for guest logins doing the same #crypto #challenge known from #Anubis.

swad is written in pure #C with minimal dependencies (#zlib, #OpenSSL or compatible, and optionally #PAM), and designed to work on any #POSIX system. It compiles to a small binary (200 - 300 kiB depending on compiler and target platform).

This release brings (among a few bugfixes) improvements to make swad fit for "heavy load" scenarios: There's a new option to balance the load across multiple service worker threads, so all cores can be fully utilized if necessary, and it now keeps lots of transient objects in pools for reuse, which helps to avoid memory fragmentation and ultimately results in lower overall memory consumption.

Read more about it, download the .tar.xz, build and install it .... here:

github.com/Zirias/swad

*
Felix Palmen :freebsd: :c64:

I need help. First the question: On #FreeBSD, with all ports built with #LibreSSL, can I somehow use the #clang #thread #sanitizer on a binary actually using LibreSSL and get sane output?

What I now observe debugging #swad:

- A version built with #OpenSSL (from base) doesn't crash. At least I tried very hard, really stressing it with #jmeter, to no avail. Built with LibreSSL, it does crash.
- Less relevant: the OpenSSL version also performs slightly better, but needs almost twice the RAM
- The thread sanitizer finds nothing to complain when built with OpenSSL
- It complains a lot with LibreSSL, but the reports look "fishy", e.g. it seems to intercept some OpenSSL API functions (like SHA384_Final)
- It even complains when running with a single-thread event loop.
- I use a single SSL_CTX per listening socket, creating SSL objects from it per connection ... also with multithreading; according to a few sources, this should be supported and safe.
- I can't imagine doing that on a *single* thread could break with LibreSSL, I mean, this would make SSL_CTX pretty much pointless
- I *could* imagine sharing the SSL_CTX with multiple threads to create their SSL objects from *might* not be safe with LibreSSL, but no idea how to verify as long as the thread sanitizer gives me "delusional" output 😳

*
Felix Palmen :freebsd: :c64:

More interesting progress trying to make #swad suitable for very busy sites!

I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed. 😆

So I read some scientific papers 🙈 ... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen. 🤩 Maybe it could do even more, didn't try yet.

Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...

(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: dl.acm.org/doi/10.1145/248052.

pfriedma
Just got to play the game that appears to go

1. OpenSSL announced a low severity issue with NPN (cve2024-5535)

2. AI posts about this raise urgency, using language like "critical"

3. A few repos create untested and unverified "exploits" using AI on GitHub

4. Tenable picks up on 2,3 marks as critical with remotely exploitable RCE citing no actual sources (just an ouroboros of machine generated content linking to other machine generated content)

5. Non-vulnerable (AFAIK server code using ALPN) machine gets flagged and we have to do something because other machine told us to

😂

Maybe I'm severely mistaken but as far as I can tell this is really not something that should actually be critical?Right?
#infoSec #OpenSSL
#openssl
*
tjhowse

Prepare to poo your pants.

OpenSSL provides a few helpers to compare certificates.

X509_cmp(), which returns 0 on a match, and

EVP_PKEY_cmp(), which returns 1 on a match.

It's OK, tan-coloured landmines are safe to step on. Olive-coloured landmines will explode and you will die.

#openssl#foss
Nicola Tuveri

#OpenSSL 📢 -- Call for speakers at the inaugural OpenSSL Conference

🔗 openssl-foundation.org/post/20

From #OpenSSL -- Blog on OpenSSL Foundation

OpenSSL Foundation · Call for speakers at the inaugural OpenSSL ConferenceThe first OpenSSL Conference will take place October 7–9, 2025 in Prague. It will be an excellent opportunity to learn more about OpenSSL. Talks will range from technical discussions of cryptography to open source communities to practical guidance for internet security. More to the point, it’s a great opportunity to speak about these topics. If you have expertise in a topic related to OpenSSL, please consider applying to be a speaker. In addition to the unique opportunity to address the OpenSSL community, speakers will receive a complimentary conference pass.
LaF0rge

In case you haven't seen it yet, check out the analysis of the devastating state of [mostly] modern #OpenSSL by members of haproxy at haproxy.com/blog/state-of-ssl- - hard to imagine such massive performance regressions getting into mainline linux distributions unnoticed by the distributors. #linux #ssl

HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Matt "msw" Wilson

“AWS-LC looks like a very active project with a strong community. […] Even the recently reported performance issue was quickly fixed and released with the next version. […] This is definitely a library that anyone interested in the topic should monitor.”

#OpenSSL #BoringSSL #WolfSSL #AWSLC #HAProxy #OpenSource #FreeSoftware #FOSS #OSS #TLS #QUIC
haproxy.com/blog/state-of-ssl-

HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
TrendingLive feeds
About