Re: GnuTLS considered harmful

[Michael Ströder <michael@stroeder.com>]

Howard Chu wrote:
> Russ Allbery wrote:
> > I expect that a port to Mozilla's NSS wouldn't be
> > too much more difficult, although of course Howard would be the person to
> > ask for an estimate.
>
> I would think there are other developers here who are familiar with 
> Mozilla NSS and can read the code in libldap/tls.c. It's certainly not 
> high on my list at the moment since OpenSSL works for me. One thing that 
> I find rather annoying about NSS is its use of a private 
> certificate/keystore that requires additional tools to manipulate.

Well, using Mozilla NSS and its certificate database would have 
pros and cons. One pro would be that LDAP clients could make use 
of the certificate database, e.g. containing client certs/keys, 
already maintained by one of the Mozilla GUI client products (e.g. 
Seamonkey). Similar how OpenOffice uses the Mozilla cert database 
out-of-the box.

What I find annoying with OpenSSL is that IIRC there is no 
separate cert store for intermediate CA certs which are not a 
trust anchor. So the server has to be configured to always send 
the intermediate CA certs during SSL connect. Would have to 
examine this a little bit closer though. Using the NSS cert 
database together with certutil maintaing trust flags for certain 
cert usage is more powerful in this regard.

I cannot tell how active the development of OpenSSL and Mozilla 
NSS are compared to each other.

Ciao, Michael.