[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MoNSS support in openldap



Silvan Marco Fin wrote:
Thanks for your input, currently I'm trying to get it working with the
description supplied here.

Am 27.09.2010 22:38, schrieb Howard Chu:

doesn't seem to be a configure switch to enable NSS, like with Gnutls or

There is no switch for it at this time.

And that is because currently MozNSS cannot be used transparently as a
drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get
their PEM handler into their mainline code, it ought to work reasonably
transparently, and at that point we may provide a configure switch for
it. For now, we do not endorse or support it.

Perhaps I can give you some additional reason to support NSS: MozNSS has
the "certdb thing" and PKCS11 support. We (that is my company: kernel
concepts) want to get evolution's ldap backend to support client side
certificates from software and hardware tokens and that is exactly, what
MozNSS provides out of the box. OpenSSL currently lacks PKCS11 support
completely (AFAIK) and Gnutls support for PKCS11 is very new, so our
goal is, to get everything we need out of NSS.

OpenSSL has had PKCS11 support since at least 2001. It's usually packaged by distros and ready to use, e.g.

https://launchpad.net/ubuntu/karmic/+package/libengine-pkcs11-openssl

MozNSS still has serious design problems wrt reentrancy and multiple independent code bases (programs and libraries) calling into it with different config requirements...

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/