Re: Multiple SSL implementations

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Multiple SSL implementations
Date: Mon, 11 Feb 2013 11:33:35 +0100	[thread overview]
Message-ID: <1360578815.28061.105.camel@rice-oxley.tremer.info> (raw)
In-Reply-To: <CAEVn7dkZ8AZzPb1F4FL6S29OmpgtC-ORFRsSkRDvJFe3s-Jjkg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2708 bytes --]

Well, it is simple. I made a branch and removed nss in that:

http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/remove-nss

We could merge the branch, if we decide to go into that direction.

-Michael

On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
> Hi,
> as long as it is "that simple" I agree with you. We should try to
> reduce overhead as much as possbile an concentrate on things which are
> more important.
> 
> Ben
> 
> 2013/2/10 Michael Tremer <michael.tremer(a)ipfire.org>:
> > Hello,
> >
> > I think it is time to discuss a thing, that has been stuck in my head
> > for some time now: We have too many SSL implementations in the system.
> > And as we are already discussion what we can remove from the
> > distribution (Xen), I'd like to think about the SSL libraries.
> >
> > IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all
> > basically implement the same protocols, but they differ a bit in their
> > interfaces, so a lot of projects prefer the one or an other.
> >
> > When we had the Lucky Thirteen problem last week, I had to patch all
> > four libraries. That's redundant work and I don't see any sense in that.
> > I even see this as a security issue, because it is not easy to keep
> > track of security issues in all libraries.
> >
> > I would like to think about how we can get rid of some of these
> > libraries:
> >
> > * openssl
> >   We cannot get rid of this one because openssl is widely used and I
> >   tend to think that it is the de-facto standard library.
> >   A bit of a problem is the GPL-incompatible license.
> >
> > * GnuTLS
> >   This is a much better choice in terms of licenses and GnuTLS is
> >   also widely used. I'd like to keep it.
> >
> > * nss
> >   The reason we have this is that RedHat started to move a lot of
> >   their own software to it because nss is FIPS certified. However,
> >   this certification is not important to us at this point in time
> >   and nss is only used by glibc, apr-util and curl. All of them could
> >   be compiler either without nss or with an other SSL library.
> >
> > * polarssl
> >   This library came into the distribution very recently and is used
> >   by the authoritative powerdns server. As far as I am aware, powerdns
> >   cannot use any other library.
> >
> > Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and
> > polarssl. But nss looks like a candidate for me. Opinions?
> >
> > -Michael
> >
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development