I've been looking into what options exist and what their pros and cons are for switching LuaSec from OpenSSL to something else (mostly in the context of Prosody's TLS support). These are my pros and cons so far, but it's a pretty specific application, so not all points may be important for others.
Pros:
* PolarSSL seems to be very clear code, well modularized and a much more sane API than OpenSSL.
* Supports setting cipher orders by TLS version.
* Cipher support is good (all the new ECC and SHA2 stuff is included), but it doesn't support SSLv2 or EXP ciphers (I'm counting this as a "pro", though).
Cons:
* Not quite as much support for working with X509 certificates. It parses the extension fields it knows about, but if you want to know more than those, you'll have to dig into ASN.1 yourself.
* Related to the previous point: I couldn't find support in converting different ASN.1 string formats. Probably will have to depend on another library to do that.
* I found a buffer overflow bug within a few hours of working with it [1], which is really not a good sign for a TLS library. However, it did get acknowledged within 24 hours (I've got an OpenSSL patch which has been sitting on their bugtracker without any reply for 6 months).
* Setting a different curve for ECC requires a compile time flag to be set, which is disabled by default.
* Using the server's cipher order or the client's is also a compile time flag, can not be set at run time.
We evaluated PolarSSL at FoundationDB while adding TLS support to our 2.0 release. In the end I think our primary deciding factor was a lack of support for hardware accelerated AES-GCM using AES-NI and PCLMUL on modern hardware, although I understand they are working on it.
The library as a whole was relatively well documented and pleasant to use. I am not going to even pretend to be enough of a crypto expert to have my own opinion of its security quality, though.
EDIT: I suppose I should add, for completeness, that we eventually decided to use GnuTLS for our TLS plugin implementation. Just in time to catch the latest GnuTLS security problem, but we avoided heartbleed.
Oh, that's great news! Unfortunately I'm on other projects now and likely won't have a chance to reevaluate in the short term, but I'd like to take a look at some point.
GnuTLS was not the most pleasant API to use, but it did hit some very impressive throughput numbers in our use cases, and seemed to deliver on the theoretical promised instructions/byte that Intel talks about in their whitepaper(s) about AES-GCM.
There is a chart (unfortunately without source) going around comparing different SSL implementations. In this chart there are situations in which PolarSSL accepts a certificate when it should not.
I quit gradschool a month after publishing this so can't comment on what Suman is currently working on, but it looks like it is still mostly my code for generation.
I didn't write the script for using polarSSL but I wrote most the other ones,the testing harness, cert generation and cert crawling, and I can say that polarSSL loved to crash on my weird certs. I almost wanted to remove them from the tested list for being so unreliable.
This should be the major argument against GnuTSL and OpenSSL. PolarSSL is symbolically verified!
You can see some screenshots at http://blog.frama-c.com/
but unfortunately their frama-c annotations for polarssl are not open source. It would help a lot if such annotations could be used for similar crypto APIs also.
There are many more such symbolic verifiers and bugfinders out there (using solvers), but Frama-C was one the first and is still one of the best.
I wonder how to reconcile the symbolic verification of PolarSSL with FRAMA-C with the top comment on this thread, where someone evaluating PolarSSL found a memory corruption flaw within a day of looking at it.
The most likely explanation is that the memory corruption flaw was found in a different PolarSSL version than the one the verification kit applies to. The PolarSSL verification kit is a recent development. The available verification kit applies to version 1.1.8 with patches that have not been released yet. Another verification kit is being finalized for the 1.3.x branch.
Another possibility is that the person who found the memory corruption was not using PolarSSL in the same configuration as the one described in the verification kit. PolarSSL allows to select sub-components at compile-time, and to select between implementation options within these components. Finally, there is always the possibility that a bug remains for compilation parameters other than the ones the verification was configured for. If I did not do too bad a job, this comment should make it clear what kind of differences could explain a bug remaining: https://news.ycombinator.com/item?id=7573483
There is always the possibility of a bug in Frama-C having for consequence a bug in PolarSSL not being found. This is far less likely than the previous commenter referring to a version that was not verified.
It should be pretty easy to verify which case it is: acquire the verified version of PolarSSL and check to see if the memory corruption bug, found 2 days ago and reported publicly, is in that codebase.
Yes, Privacy Enhanced Mail is not part of the verified PolarSSL configuration. And the bug at https://github.com/polarssl/polarssl/issues/83 is definitely the sort of bug Frama-C would “not shut up” about, as Regehr puts it. The warning will only occur where the buffer overflow eventually happens, and it may be more or less pleasant to go back from the site of the buffer overflow to the bug in the fashion of http://blog.frama-c.com/index.php?post/2014/02/23/CVE-2013-5... , but Frama-C's value analysis is designed to reliably find this bug and not shut up about it.
It is not really a fork: all the necessary bugfixes to make the chosen PolarSSL version free of undefined behavior have been contributed back and either have been released or are pending release.
It is more a choice of version, choice of compilation platform (some bugs only occur with 64-bit pointers or unsigned chars —the verification in question has been done with 32-bit pointers and signed chars, no guarantee is given for other parameters) and description of a library configuration.
The PolarSSL Verification Kit takes the form of a 8-page description of the above parameters and a 100-page technical annex with all the formal specifications and justifications. You only need to read the second part if you don't trust the kit's authors. Like similar documents are, the technical annex is intended to be audited by picking a piece at random and checking the reasoning locally and how it relates to the other pieces.
Everybody who is dropping OpenSSL in favor for alternative library X is going to bet on the wrong horse here. A big leak has just been fixed in OpenSSL and every commit will be checked now by more critical eyeballs than before imho.
I don't believe that the presence of the vulnerability is the reason people are looking to migrate. I believe that the discovery of this vulnerability shed light on the code quality of OpenSSL, and that is what is turning people away. Some people have only recently learned of the quality issues, and have lost trust in the project. Others have known about them, but have been begrudgingly dealing with them, and this was the straw that broke the camels back. There's always someone looking to migrate to a different implementation, and all they need is a good reason to justify the effort.
That maybe true, but you're also making the assumption that other SSL/TLS implementations are not already better.
The recent OpenSSL bug is a great reminder that we shouldn't just used OpenSSL because it's what everyone else uses. It's an excuse for use to investigate alternatives and then make a rational decision about which implementation to use. If that investigation leads us back to OpenSSL, then so be it. But without looking into competing libraries, any talk about OpenSSL being the better stack is pure speculation.
Make sure you read their license, it could be slightly modified GPL. Some licenses (such as Apache 2) has clause which makes any contribution Apache licensed.
Their test system knows about valgrind and ASan and runs it if available.
There's also a frama-c annotated version. not open source, but still this is exceptional.
I'm just missing CPU specific optimizations (SSE, Altivec, ...)
PolarSSL condones the practice that makes OpenSSL less secure than any other, which is commercial entities not being obligated to give back. They simply extend that privilege to people who include it in a commercial product.
The biggest problem with OpenSSL is that noone helps.
> PolarSSL condones the practice that makes OpenSSL less secure than any other, which is commercial entities not being obligated to give back.
...it really isn't that simple. Many of the mechanisms for obligating commercial entities to give back simply result in those entities ignoring a project from the start. Plenty of projects that don't enforce that obligation receive significant commercial support.
I don't know personally, but the project I work on (MCServer, an open source Minecraft server) implemented it as a replacement to CryptoPP recently (we needed SSL support with a sane license) and it has been working fairly well. Even when a feature we needed wasn't implemented, the maintainers quickly added it and were nice to work with.
I used it with a small embedded system a couple of years ago and was generally very pleased with it, at least from an ease of use perspective. For the niche I was filling it was a great fit.
I don't know how well it adheres to the standard though, or whether it has known vulnerabilities.
I have no experience with PolarSSL but it is under GPL so unless your code is under GPL also it is a no-starter. I suppose this is a major obstacle for wider adoption.
Pros:
* PolarSSL seems to be very clear code, well modularized and a much more sane API than OpenSSL.
* Supports setting cipher orders by TLS version.
* Cipher support is good (all the new ECC and SHA2 stuff is included), but it doesn't support SSLv2 or EXP ciphers (I'm counting this as a "pro", though).
Cons:
* Not quite as much support for working with X509 certificates. It parses the extension fields it knows about, but if you want to know more than those, you'll have to dig into ASN.1 yourself.
* Related to the previous point: I couldn't find support in converting different ASN.1 string formats. Probably will have to depend on another library to do that.
* I found a buffer overflow bug within a few hours of working with it [1], which is really not a good sign for a TLS library. However, it did get acknowledged within 24 hours (I've got an OpenSSL patch which has been sitting on their bugtracker without any reply for 6 months).
* Setting a different curve for ECC requires a compile time flag to be set, which is disabled by default.
* Using the server's cipher order or the client's is also a compile time flag, can not be set at run time.
[1] = https://github.com/polarssl/polarssl/issues/83