[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GnuTLS considered harmful

Andrew Bartlett <abartlet@samba.org> writes:
> On Sat, 2008-02-16 at 14:44 -0800, Russ Allbery wrote:

>> There are enough other reasons to use already-packaged software and
>> enough reasons to use Debian in preference to other distributions (for
>> what we're doing at Stanford; I'm not interested in discussing that
>> position with anyone on this list) that it was worth helping fund the
>> development of the GnuTLS support.  That support basically works,
>> recommended or not, which is a better place than we were in before.  I
>> can only hope that it will get better in the future, or that some
>> miracle will happen with either OpenSSL licensing or Debian's legal
>> interpretation of copyright, none of which I have any real control
>> over.

> What would it take to create a third way here with Mozilla's NSS?

> For my sanity in Samba4, I keep bugging those involved with NSS and
> nss_compat_ossl to create a gnutls-like API to NSS.  Some aspects of the
> API I like, while other aspects of the GnuTLS implementation drive me
> nuts - such as draining and blocking on /dev/random...

Development of a port to GnuTLS required changes on both sides, but wasn't
particularly expensive.  I expect that a port to Mozilla's NSS wouldn't be
too much more difficult, although of course Howard would be the person to
ask for an estimate.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>