SSL

Options, in order of preference.

Polarssl

Polarssl is now (2015) ARM mbed TLS

Polarssl gives us the smallest and maybe also the most secure tls-capable gatling.

Not yet done. Latest gatling changelog (version 0.14, /08/2015) states, that PolarSSL 1.2.0 is now supported. We have to test this at some moment.

OpenSSL

OpenSSL compilation works. Instructions are taken from the diet libc FAQ file. We have, however not put it into production use yet.

  1. Get OpenSSL, we used version 1.0.2.
  2. Unpack it.

cd progs
curl -O https://www.openssl.org/source/openssl-1.0.2d.tar.gz
tar xzf openssl-1.0.2d.tar.gz

We get a message from tar: tar: A lone zero block at 52140, which we found out we can ignore (at least for compilation)

  1. Compile OpenSSL against diet libc.

cd openssl-1.0.2
./config --prefix=/opt/diet no-dso
make libssl.pc openssl.pc

The following needs ed, yes this ed. Since we don’t care too much about POSIX compatibility on our systems, we had to apt-get install ed it. Check if you have to too.

for i in libssl.pc openssl.pc Makefile; do (echo ",s/ *-ldl//g"; echo w) | ed $i; done
make CC="diet -Os gcc -pipe -nostdinc"

  1. Now you can go back to the gatling directory and

make tlsgatling

Which will fail in the final linker step, because /opt/diet/lib is not in the default linker path. I just copied the failed commandline and postfixed it with -L /opt/diet/lib.

You can even make install again. The install target picks up all created binaries and does not fail on missing ones.

Pound proxy

We love Pound, but we currently do not use it. We count on ptlsgatling to be our final solution. With time we will tell you.

Stunnel

Our current solution.

Here are the relevant portions of the stunnel.conf file:

cert = /etc/stunnel/webstats.magma-soft.at.crt.pem
key = /etc/stunnel/webstats.magma-soft.at.key.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
[https]
accept = 443
connect = 127.44.3.1:80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
TIMEOUTclose = 0

Well, we really run an fnord instance with our 404 redirect patch on 127.44.3.1:80 instead of a gatling server, but we understand, that you must use the -t option for gatling, to get the right port (443) and (probably) use a different virtual host.