| ID: |
7851
|
Fixed in: |
|
| Issue Date: |
2024-08-29 09:51 AEST
|
Owner: | CVS Support
|
| Last Modified: | 2024-09-15 16:15 AEST | Reporter: | Arthur Barrett
|
| Current Est. | 0.0 hours
| % Complete: | 0.0
|
| Status: | NEW /
|
Severity: | normal
|
| Affected: | 2.8.01
|
| Description: | win: native windows sserver protocol? why do we use openssl not schannel (ssl)?
|
|
Actions:
|
2024-08-29 09:51 AEST by Arthur Barrett - The sserver protocol is basically pserver protocol wrapped in SSL encryption.
But why does it use openssl and not native windows Schannel (SSL)?
In CVSNT 2.8.02 there is an Schannel (SSL) option on SSPI (registry variable: SspiSchannel, then gets he
'schannel' security package using a call to SspiSchannel() etc. ). Is this on 2.8.01 too? Which looks like SSPI
can use native windows SSL. Why not SSERVER?
Maybe just that we wanted to. move people to SSPI? Maybe just that we viewed SSPI as better? Maybe that
not many people really use SSERVER?
This bug has been influenced by the recent OpenSSL 3.0 upgrade (Bug 7786) and also the testing (Bug
7665) and updates (Bug 7793) to SSERVER, but also thinking about Bug 7850 - specifically: whether to use a
linux library for HTTP/HTTPS or native windows HTTP/HTTPS or write our own CVSAPI stuff with native
implementations for each. A lot of open source apps for windows rely heavily on 'linux' open source libraries,
whereas with CVSNT I always wanted it to be open source but native windows. So that got me wondering
about the dependency on OpenSSL and the requirement to constantly patch to keep up with the latest
releases and security vulnerabilities - can't this be done away with if we have a native implementation?
It looks like Git has also faced this same question:
https://github.com/git/git/commit/21084e84a418e0a6c4da72f632c5cd99386bd64b
Git uses libcurl and LibCurl supports use of either schannel or openssl as backends, so their patch is very
simple. Git always uses HTTP so they don't need anything more complex that libcurl for the protocol.
But we could probably find some good code examples in the libcurl sources for schannel vs. openssl
Finally, here is another useful post on this topic:
https://stackoverflow.com/a/62463784 |
|
|
2024-08-29 09:51 AEST by Arthur Barrett - Created an attachment (id=3796)
SSPI dialog
|
|
|
2024-08-29 11:30 AEST by Arthur Barrett - also see: Native SSL Support for WINAPI:
https://stackoverflow.com/q/46654992
secure channel API:
https://learn.microsoft.com/en-us/windows/win32/secauthn/secure-channel?redirectedfrom=MSDN
Creating a Secure Connection Using Schannel
https://learn.microsoft.com/en-us/windows/win32/secauthn/creating-a-secure-connection-using-schannel?
redirectedfrom=MSDN
"WinSock itself still does not support SSL, true. However, Microsoft's SChannel API does, and you can use
your existing WinSock code for the I/O of SChannel-encrypted SSL data. See Creating a Secure Connection
Using Schannel. Otherwise, use a 3rd party SSL library. OpenSSL is very common, and it can be used on top
of your existing WinSock code (via its BIO API). Or, you can re-write your code to let it handle all of the socket
I/O for you " |
|
|
2024-09-15 16:15 AEST by Arthur Barrett - this same question applies to SSL for SMTP used by the email trigger plugin, see bug 7403 "enh: Email plugin
(SMTP) should support SSL/TLS"
On Linux the plugin should use openssl, but on windows it should use schannel ssl? |
|