[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GnuTLS considered harmful

Howard Chu wrote:
Russ Allbery wrote:
I expect that a port to Mozilla's NSS wouldn't be
too much more difficult, although of course Howard would be the person to
ask for an estimate.

I would think there are other developers here who are familiar with Mozilla NSS and can read the code in libldap/tls.c. It's certainly not high on my list at the moment since OpenSSL works for me. One thing that I find rather annoying about NSS is its use of a private certificate/keystore that requires additional tools to manipulate.

Well, using Mozilla NSS and its certificate database would have pros and cons. One pro would be that LDAP clients could make use of the certificate database, e.g. containing client certs/keys, already maintained by one of the Mozilla GUI client products (e.g. Seamonkey). Similar how OpenOffice uses the Mozilla cert database out-of-the box.

What I find annoying with OpenSSL is that IIRC there is no separate cert store for intermediate CA certs which are not a trust anchor. So the server has to be configured to always send the intermediate CA certs during SSL connect. Would have to examine this a little bit closer though. Using the NSS cert database together with certutil maintaing trust flags for certain cert usage is more powerful in this regard.

I cannot tell how active the development of OpenSSL and Mozilla NSS are compared to each other.

Ciao, Michael.