[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GnuTLS considered harmful

To: Russ Allbery <rra@stanford.edu>
Subject: Re: GnuTLS considered harmful
From: Howard Chu <hyc@symas.com>
Date: Thu, 21 Feb 2008 00:06:06 -0800
Cc: OpenLDAP Devel <openldap-devel@openldap.org>
In-reply-to: <87ablvcmlz.fsf@windlord.stanford.edu>
References: <47B751BF.8010103@symas.com> <55072.212.159.59.85.1203198927.squirrel@webmail.suretecsystems.com> <47B7636C.1030106@symas.com> <87fxvsy11b.fsf@windlord.stanford.edu> <1203503744.25486.38.camel@naomi> <87ablvcmlz.fsf@windlord.stanford.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

Russ Allbery wrote:

Andrew Bartlett<abartlet@samba.org> writes:

On Sat, 2008-02-16 at 14:44 -0800, Russ Allbery wrote:

There are enough other reasons to use already-packaged software and
enough reasons to use Debian in preference to other distributions (for
what we're doing at Stanford; I'm not interested in discussing that
position with anyone on this list) that it was worth helping fund the
development of the GnuTLS support.  That support basically works,
recommended or not, which is a better place than we were in before.  I
can only hope that it will get better in the future, or that some
miracle will happen with either OpenSSL licensing or Debian's legal
interpretation of copyright, none of which I have any real control
over.

What would it take to create a third way here with Mozilla's NSS?

For my sanity in Samba4, I keep bugging those involved with NSS and
nss_compat_ossl to create a gnutls-like API to NSS.  Some aspects of the
API I like, while other aspects of the GnuTLS implementation drive me
nuts - such as draining and blocking on /dev/random...

I pointed out a number of problems in the GnuTLS design last year when I started the port. I stated back then that it was ill-advised, given the library's overall design and maturity. Oh well.

Development of a port to GnuTLS required changes on both sides, but wasn't
particularly expensive.


It still leaves something to be desired, like better cipher suite APIs, etc..

I expect that a port to Mozilla's NSS wouldn't be
too much more difficult, although of course Howard would be the person to
ask for an estimate.

I would think there are other developers here who are familiar with Mozilla NSS and can read the code in libldap/tls.c. It's certainly not high on my list at the moment since OpenSSL works for me. One thing that I find rather annoying about NSS is its use of a private certificate/keystore that requires additional tools to manipulate. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: GnuTLS considered harmful
  - From: Michael Ströder <michael@stroeder.com>
- Re: GnuTLS considered harmful
  - From: Russ Allbery <rra@stanford.edu>
- Re: GnuTLS considered harmful
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- GnuTLS considered harmful
  - From: Howard Chu <hyc@symas.com>
- Re: GnuTLS considered harmful
  - From: "Gavin Henry" <ghenry@suretecsystems.com>
- Re: GnuTLS considered harmful
  - From: Howard Chu <hyc@symas.com>
- Re: GnuTLS considered harmful
  - From: Russ Allbery <rra@stanford.edu>
- Re: GnuTLS considered harmful
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: GnuTLS considered harmful
  - From: Russ Allbery <rra@stanford.edu>

Prev by Date: Re: commit: openldap-guide/admin overlays.sdf
Next by Date: Re: GnuTLS considered harmful
Index(es):
- Chronological
- Thread