[announce] skalibs-, s6-networking- - now with secure connections!

From: Laurent Bercot <ska-skaware_at_skarnet.org>
Date: Sun, 04 Dec 2016 14:35:50 +0000

  New releases of the following packages are available:

  * skalibs-

  Bugfix release. It is necessary to upgrade to this release for the new
version of s6-networking to work.


  * s6-networking-

  This release of s6-networking comes with 4 optional new binaries:
s6-tlsclient, s6-tlsserver, s6-tlsc, s6-tlsd. Those binaries implement
secure connections via the TLS protocol. s6-tlsclient and s6-tlsserver
act like s6-tcpclient and s6-tcpserver respectively; s6-tlsc and s6-tlsd
are the "tlsify" blocks that put themselves between the network
and the cleartext-speaking application.

  Building those binaries requires an additional dependency to a SSL
library, called a "backend". After installing the chosen backend, you
can tell s6-networking to use it by giving the "--enable-ssl=$backend"
option to configure.

  There are two supported values for $backend:

  * "libressl" . This requires installing LibreSSL 2.4.4 or later.
This is the default, safe choice.

  * "bearssl". This requires installing BearSSL 0.1 or later. BearSSL is
a new SSL library being developed by Thomas Pornin, a renowned
cryptologist. Choosing BearSSL is still experimental (it will only be
considered production-ready by its author when it reaches version 1.0),
but it's working for me successfully. The reason to choose BearSSL over
LibreSSL is that BearSSL's design is incredibly high-quality. It is much
more maintainable than the OpenSSL/LibreSSL code base; it requires a
ridiculously small amount of RAM to run; static x86_64 executables for
s6-tlsc and s6-tlsd are, when linked against BearSSL, 10% of the size
they are when using LibreSSL. (Yes, that's a 90% size reduction.)

  Given that LibreSSL is ubiquitous and BearSSL already looks amazing and
will likely be production-ready next year, there are no plans to add
further backends.


  Bug-reports *especially* welcome. I spent a long time ironing out small
issues in s6-tlsc and s6-tlsd, but if any problems remain, it is
particularly important to handle them quickly.

Received on Sun Dec 04 2016 - 14:35:50 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC