Re: SSL with "accept" command?

Wed, 07 Sep 2016 20:06:06 -0700 

On 09/07/2016 03:30 PM, Bob Sneidar wrote:

I have looked into this some and it gets really dicey. First of all, SSL (if 
you mean openSSL) has licensing requirements. This is why the compiled versions 
of mySQL for windows do not use openSSL, they use yaml ssl which I think is a 
fork of openSSL. They could not distribute compiled versions of the openSSL 
library for some reason I do not understand. It violates the license I guess, 
or maybe money had to change hands or something.



OpenSSL is dual-licensed. LiveCode uses OpenSSL and there is no conflict 
there. MySQL is messy because Oracle.




Then there are versions of SSL and TLS.



If you mean the library called SSL, it's been deprecated for quite some 
time.



OpenSSL 2.0 was apparently compromised a couple years back (if you 
recall the heartbleed bug) and TLS got caught up in it because TLS 1.0 
was written to fall back on SSL if TLS failed. Now we have SSL 1.0, 2.0 
and 3.0, as well as TLS 1.0, 1.1 and 1.2. Additionally, there was an 
update to TLS 1.2 to no longer fall back on SSL.


Heh.
https://xkcd.com/1354/


Again, SSL <version-anything> is outdated. Even Microsoft issued a 
notice about it. Heartbleed affected OpenSSL version 1.0.1 only. The fix 
was released in 1.0.1g, although Debian patched its own version ahead of 
the official release with a separate version number (1.0.1e-2), which 
provided false positives on heartbleed scanners.



HTTPS uses TLS, which is sometimes erroneously called SSL. I believe the 
fallback removal was just to disable fallback to SSL 2.0 (which should 
never have seen the light of day in the first place), but I'm sure 
someone will correct me if I'm wrong.



So the upshot is, SSL is a mess right now.



Again, if you're referring to OpenSSL, it's always been a mess. There 
are half a dozen different technologies inside, and their cooperation is 
so fragile that tweaking things gets ugly quickly. And it's so big that 
nobody wants to take on the task of rewriting it.


I would love to see an updated SSL library that actually works...

No. The first rule of creating your own encryption is don't.


There is a neat telnet utility called SMTPConsole


I read as far as "Requires Windows and .Net Framework 2.0 or greater."

--
 Mark Wieder
 ahsoftw...@gmail.com



_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode






















					Reply via email to