Here is something interesting, TLS Version 1.2 has been the required standard for protection by the US Government since December 2010 due to no longer allowing MD5 to be used in certain cases.
This has actually been interesting for those of us in the government sector since TLS 1.2 for example is not yet supported by so many different libraries/clients that I know of people having to get exceptions for their products to still be deployed in federal instances...
Hmm, at the moment I'm writing something in Ruby using OpenSSL, where a Socket object becomes an OpenSSL::SSL::SSLSocket
It's an absolute nightmare. It won't stay alive for more than 10 minutes without some form of OpenSSL error, and I've even managed to create some kind of weird condition where pure bytes and other garbage are read off the socket
What really concerns me is the lack of documentation for this. It's SSL, out of any piece of Ruby I would like it to be the most documentated/most maintained/easy to find help with piece, but instead, I've been stuck with this giant piece of broken code for three months with no idea where to et help
The point being, it's all very well saying massive companies with engineers on tap are supporting these technologies. But for a startup with one person at the keyboard, they are figuratively screwed. I'm still holding out for the possibility that there is somewhere in the world someone who understands how to securely handle OpenSSL sockets in Ruby, I really do.
I refuse to go to MVP with a server which is raising exceptions left right and center, and at the moment, that's gonna kill the startup dead in its tracks.
Not sure if you can do this in Ruby, but instead of using OpenSSL to manage the socket use something like libevent or event handling to pass the information to a SSL memory BIO...
I wrote an article[1] on this a while back (C++ code), but it should give you an idea as to how to accomplish this. Do note that it looks complicated at first, but it is fairly easy to implement.
Code based on what is in that article has been in production service for about 4 months now and it is completely stable. No weird errors, no weird issues, nothing.
Also, if you let something like OpenSSL causing issues kill your startup dead in its tracks you need to reconsider what MVP is... restart it every so often if it becomes an issue, fork a different process like netcat that does the SSL instead and use pipes to communicate. Please don't let issues with SSL kill your product!
It's a pity that there isn't a wrapper for PolarSSL. I wrote a Lua wrapper for some PolarSSL hash functions and it was relatively straightforward.
OpenSSL is more of a framework than a library. If you crack open code that wraps it, there's an enormous amount of book-keeping that has to be done to do things the OpenSSL way. PolarSSL by contrast just makes everything standalone.
However, OpenSSL definitely receives the majority of eyeballs and the project team go to great lengths to improve crypto performance on many platforms and devices.
https://blogs.oracle.com/xuelei/entry/tls_and_nist_s_policy
This has actually been interesting for those of us in the government sector since TLS 1.2 for example is not yet supported by so many different libraries/clients that I know of people having to get exceptions for their products to still be deployed in federal instances...