Any good reason for choosing HsOpenSSL over tls?
56 views
Skip to first unread message
Alfredo Di Napoli
May 2, 2013, 3:10:31 AM5/2/13
to snap_fr...@googlegroups.com
Hi all,
I saw that openssl-streams is using HsOpenSSL under the hood. I also saw this on HsOpenSSL hackage page:
Please note that this project has started at the time when there were no pure-Haskell implementations of TLS. Now there is tls package (http://hackage.haskell.org/package/tls), which looks pretty saner than HsOpenSSL especially for initialisation and error handlings. So PHO (the initial author of HsOpenSSL) wants to encourage you to use and improve the tls package instead as long as possible. The only problem is that the tls package has not received as much review as OpenSSL from cryptography specialists yet, thus we can't assume it's secure enough.
Thus my question: Why not use directly tls?
Have a nice day,
A.
Andrew Cowie
May 2, 2013, 3:28:48 AM5/2/13
to snap_fr...@googlegroups.com
On Thu, 2013-05-02 at 08:10 +0100, Alfredo Di Napoli wrote:
> I saw that openssl-streams is using HsOpenSSL under the hood. I also
> saw this on HsOpenSSL hackage page:
I actually submitted a patch to clean up that rather discouraging
> I saw that openssl-streams is using HsOpenSSL under the hood. I also
> saw this on HsOpenSSL hackage page:
description. It's much better now in 'master' on GitHub. :)
> Thus my question: Why not use directly tls?
openssl has Plenty Of Issues™ too, of course, but it certainly has a
much higher level of visibility and the validation from being used
heavily production the world over.
I have nothing against tls, personally; indeed it does raise the chicken
and egg problem: I'm not sure what agency out there would bring
sufficient review to bear for us to be able to convince our auditors
that tls's TLS implementation in pure Haskell is strong enough.
AfC
Sydney
Leon Smith
May 2, 2013, 3:33:42 AM5/2/13
to snap_fr...@googlegroups.com
Yeah, I haven't looked at tls carefully, but I do think that Vincent knows what he's doing. Even so, there are a lot of potential issues, from performance to security, and openssl is a known quantity. I wouldn't anticipate an abandonment of HsOpenSSL anytime soon, even if there are no outstanding issues with tls.
Even so, nobody's stopping anybody from writing tls-streams as well. ;-)
Gregory Collins
May 2, 2013, 4:59:32 AM5/2/13
to snap_fr...@googlegroups.com
Because of your final sentence: "The only problem is that the tls package has not received as much review as OpenSSL from cryptography specialists yet, thus we can't assume it's secure enough."
Using anything besides OpenSSL (or some other equally-tested alternative, OpenSSL is just the most ubiquitous and easiest to deal with) for crypto on the public internet is insane.
Gregory Collins <gr...@gregorycollins.net>
G
-- Gregory Collins <gr...@gregorycollins.net>
Alfredo Di Napoli
May 2, 2013, 5:13:38 AM5/2/13
to snap_fr...@googlegroups.com
Thanks guys :)
A.
--
---
You received this message because you are subscribed to the Google Groups "Snap Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to snap_framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages