[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
- From: hyc@symas.com
- Date: Fri, 19 Sep 2014 18:42:01 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Michael Ströder wrote:
> hyc@symas.com wrote:
>> gabriel@gritsch-soft.com wrote:
>>> would it be possible to support Apples "Common Crypto Services" instead of
>>> OpenSSL
>> [..]
>> But in general, it sounds like a bad idea. In light of Apple's now-infamous
>> "goto fail" bug
>> http://www.zdnet.com/apples-goto-fail-tells-us-nothing-good-about-cupertinos-software-delivery-process-7000027449/
>> it would be poor practice to migrate away from a security package that is now
>> receiving broad and in-depth scrutiny, to one that only has Apple's assurances
>> behind it. Also given Apple's success rate with security in general
>> http://online.wsj.com/articles/apple-celebrity-accounts-compromised-by-very-targeted-attack-1409683803
>> it seems like a poor choice.
>
> Yes, I agree with these concerns - especially for OpenLDAP server deployments.
>
> But there are some advantages using the OS platform's mainstream crypto lib
> for libldap to get access to the OS's own keyring (e.g. when using client certs).
>
> E.g. I'd avoid libnss for OpenLDAP servers but PKCS#11 in libnss gives some
> better access to smartcards.
OK, that may be nice to have. OpenSSL's engine API already allows such things
to be supported dynamically, though.
> On the downside it's a pain to deal with all the LDAP_OPT_X_TLS_* options
> having no or different meaning/features for various crypto libs...
Indeed. Even moreso if, as you seem to be suggesting, a client library gets
built against a different TLS API than the server side. The current libldap
infrastructure wouldn't even support such a build. (Although it could, as the
original version of modular TLS support allowed all of the libraries to be
supported concurrently. But we dropped that feature because there was no sane
usecase for it.)
The real solution, if there are platform-specific keystores and such that you
want to gain access to, is to submit patches for them to the OpenSSL project.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/