[Date Prev][Date Next]
Re: GnuTLS considered harmful
Russ Allbery wrote:
Andrew Bartlett<email@example.com> writes:
On Sat, 2008-02-16 at 14:44 -0800, Russ Allbery wrote:
There are enough other reasons to use already-packaged software and
enough reasons to use Debian in preference to other distributions (for
what we're doing at Stanford; I'm not interested in discussing that
position with anyone on this list) that it was worth helping fund the
development of the GnuTLS support. That support basically works,
recommended or not, which is a better place than we were in before. I
can only hope that it will get better in the future, or that some
miracle will happen with either OpenSSL licensing or Debian's legal
interpretation of copyright, none of which I have any real control
What would it take to create a third way here with Mozilla's NSS?
For my sanity in Samba4, I keep bugging those involved with NSS and
nss_compat_ossl to create a gnutls-like API to NSS. Some aspects of the
API I like, while other aspects of the GnuTLS implementation drive me
nuts - such as draining and blocking on /dev/random...
I pointed out a number of problems in the GnuTLS design last year when I
started the port. I stated back then that it was ill-advised, given the
library's overall design and maturity. Oh well.
Development of a port to GnuTLS required changes on both sides, but wasn't
It still leaves something to be desired, like better cipher suite APIs, etc..
I expect that a port to Mozilla's NSS wouldn't be
too much more difficult, although of course Howard would be the person to
ask for an estimate.
I would think there are other developers here who are familiar with Mozilla
NSS and can read the code in libldap/tls.c. It's certainly not high on my list
at the moment since OpenSSL works for me. One thing that I find rather
annoying about NSS is its use of a private certificate/keystore that requires
additional tools to manipulate.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/