[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
From: hyc@symas.com
Date: Fri, 19 Sep 2014 18:42:01 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Michael Ströder wrote:
> hyc@symas.com wrote:
>> gabriel@gritsch-soft.com wrote:
>>> would it be possible to support Apples "Common Crypto Services" instead of
>>> OpenSSL
>> [..]
>> But in general, it sounds like a bad idea. In light of Apple's now-infamous
>> "goto fail" bug
>> http://www.zdnet.com/apples-goto-fail-tells-us-nothing-good-about-cupertinos-software-delivery-process-7000027449/
>> it would be poor practice to migrate away from a security package that is now
>> receiving broad and in-depth scrutiny, to one that only has Apple's assurances
>> behind it. Also given Apple's success rate with security in general
>> http://online.wsj.com/articles/apple-celebrity-accounts-compromised-by-very-targeted-attack-1409683803
>> it seems like a poor choice.
>
> Yes, I agree with these concerns - especially for OpenLDAP server deployments.
>
> But there are some advantages using the OS platform's mainstream crypto lib
> for libldap to get access to the OS's own keyring (e.g. when using client certs).
>
> E.g. I'd avoid libnss for OpenLDAP servers but PKCS#11 in libnss gives some
> better access to smartcards.

OK, that may be nice to have. OpenSSL's engine API already allows such things 
to be supported dynamically, though.

> On the downside it's a pain to deal with all the LDAP_OPT_X_TLS_* options
> having no or different meaning/features for various crypto libs...

Indeed. Even moreso if, as you seem to be suggesting, a client library gets 
built against a different TLS API than the server side. The current libldap 
infrastructure wouldn't even support such a build. (Although it could, as the 
original version of modular TLS support allowed all of the libraries to be 
supported concurrently. But we dropped that feature because there was no sane 
usecase for it.)

The real solution, if there are platform-specific keystores and such that you 
want to gain access to, is to submit patches for them to the OpenSSL project.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
Next by Date: Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
Index(es):
- Chronological
- Thread