20130329

MungeTLS... it's Out Now

Hello everybody. It's been quite a while, hasn't it? I have been mostly idle but not completely idle. The big news of today (okay, last week) is that I finally released MungeTLS! This represents a bit over a year of wall-clock time that I've spent on it, and probably the single longest project I've actually brought to any state resembling completion.

Of course, it's far from actually complete. What I shipped with it is the core TLS portion of the engine, of course, and the sample HTTPS server that calls into it and implements (at least superficially) all the callbacks. It's a neat proof of concept, but otherwise not terribly useful. I'm now presented with the even more difficult challenge of what to do next. I have a few ideas on the docket.

I think a TLS fuzzer would be a useful thing. However, it seems a company called Codenomicon has already built a TLS fuzzer. But on the other hand, it costs money, so maybe I have something to offer here, after all?

Along similar lines, a TLS conformance test suite would be useful. Both of these tools would be actual tools, not libraries for testing. The part that probably requires the most design thought is how to author the tests. Putting all of the tests directly into the EXE seems like a lot of code and cumbersome. I'll have to think about this some more.

And for both of these, I'd have to think about how I want to automate that in some standard way so that the client just repeatedly connects to walk through the list of tests. That's probably not too bad.

Among other, lighter ideas, I could make a simple library that wraps a TLS "pipe". You provide the certs, and it picks all the correct default behaviors to be a proper TLS channel. Of course, this functionality is already in most platforms, so it's not super compelling.

I had a thought to make a tool to TLS-ify a HTTP server--an HTTPS frontend for a HTTP server. Just a silly idea, but kind of fun.

So yeah, progress may slow down a while as I try to design some of these ideas in my head before putting virtual pen to virtual paper, but it is on my mind! Speaking of things slowing down, most of the code was actually done around, say, September 2012, but I was trying to get some people to code review it. Turns out it's hard to get people to give up their free time to look at some dude's boring code--and I don't blame them! I was finally able to wrangle some reading out of some guys on Twitter and from work (who are credited on the project page).

Welp, see yall next time I do something interesting!

0 comments:

Post a Comment