

Starting over with...SSLRef? - ahadden

Back in the late 90s I worked on a project that needed secure communication.  At the time, our reasonable choices were SSLeay or SSLRef.  SSLeay was the precursor to today&#x27;s OpenSSL and obviously free.  SSLRef was a commercially available library and cost around $30K to license for commercial applications.  We chose SSLRef because we were concerned how our potential customers would react to having an open source secure communications implementation.  Years later we switched to use OpenSSL.  Kind of ironic, but not the point here.<p>Anyway, the point of this is that I remember SSLRef being decent code.  Debugging it was fairly simple and it had a pretty good structure, which is very different than SSLeay&#x2F;OpenSSL.  This makes me wonder if it could serve as the basis for a replacement for OpenSSL.<p>It looks like Apple uses SSLRef in some capacity and the source code is available at http:&#x2F;&#x2F;www.opensource.apple.com&#x2F;source&#x2F;Security&#x2F;Security-30.1&#x2F;SecureTransport&#x2F;<p>To be clear, I understand that the license of this code is a problem (perhaps the current copyright holder could donate it?).  I also understand that we&#x27;ve learned a lot about various attacks against SSL&#x2F;TLS since it was written and it surely has not been patched to resolve them.  It also does not currently support TLS.<p>However...assuming the code could be&#x2F;has been re-licensed by whoever owns it today, would it make sense to use SSLRef as a starting point for an OpenSSL replacement?  I mean, wouldn&#x27;t that be better than starting over with new implementation?
======
tptacek
From the FAQ:

How does NSS compare to SSLRef?

 _SSLRef was an early reference implementation of the SSL protocol. It
contains bugs that were never fixed, doesn 't support TLS or or the new 56-bit
export cipher suites, and does not contain the fix to the Bleichenbacher
attack on PKCS#1._

 _Netscape no longer maintains SSLRef or makes it available. It was built as
an example of an SSL implementation, not for creating production
applications._

 _NSS was designed from the ground up for use by commercial developers. It
provides a complete software development kit that uses the same architecture
used to support security features in many client and server products from
Netscape and other companies._

