Replace OpenSSL TLS backend #9239
Replies: 2 comments 4 replies
-
|
Would it be completely standalone and/or what are the dependencies it would have? Particularly important for the older targets that Fluent Bit has to support. |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure what you mean... I don't think it would depend on any other C libraries, but you'd need rustls-ffi, and then likely a few Rust packages related to TLS verification. The goal would be to add it to the compilation steps in a way where unless you invoke the specific flag, you don't need any additional resources at all. |
Beta Was this translation helpful? Give feedback.
-
|
I mean will it work on CentOS 7 primarily? Is the goal just to have an option to OpenSSL? |
Beta Was this translation helpful? Give feedback.
-
|
The goal is just to have a different option besides OpenSSL - not trying to target a specific Linux flavor. |
Beta Was this translation helpful? Give feedback.
-
|
I think you'll still need to have an idea of which ones it actually will build on though :) |
Beta Was this translation helpful? Give feedback.
-
|
I don't really see it sticking to be honest but feel free to try. If you do you'll need to address : Luckily those components are pretty clean and you won't have to chase openssl references all around the codebase but still I don't see a future in it. One thing I think would be REALLY cool would be proper support for plugins written in rust because that's where I think it could make a difference. |
Beta Was this translation helpful? Give feedback.
-
Recently, there has been a fair amount of discussion in the software community about using memory safe languages to remove a class of errors that can happen in languages like C - use after free, out of bounds memory access, etc.
Specifically, OpenSSL is a library that was written in C, and has historically had a number of security problems related to memory safety. There are replacements for OpenSSL that have been written in memory safe languages, for example, https://github.com/rustls/rustls and accompanying C FFI wrapper, https://github.com/rustls/rustls-ffi. Curl recently accepted support for rustls as a TLS backend.
I have a "hack week" coming up at my employer and was thinking about working on a preliminary patch to add support for this to fluent-bit. Obviously there would need to be a lot of testing and validation after this is complete, but I was wondering if there would be any interest in this effort.
Beta Was this translation helpful? Give feedback.
All reactions