From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Multiple SSL implementations
Date: Mon, 11 Feb 2013 20:00:01 +0100 [thread overview]
Message-ID: <1360609201.28061.127.camel@rice-oxley.tremer.info> (raw)
In-Reply-To: <51192D31.9010900@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4329 bytes --]
I'll count this as a +1.
On Mon, 2013-02-11 at 18:41 +0100, Stefan Schantl wrote:
> Hello Michael, Hello Ben,
>
> you are right there are a lot of different SSL implementations out there
> which are probably doing the same stuff. And of course I totally agree
> with you that the currently 4 included implementations are to much.
>
> To reduce overhead and "pre-designed" troubles on fixed security holes
> on some implementations, because patches to fix them are available - but
> for a second or third implementation they are not fixable because of a
> missing patchset.
>
> This result in a potential security risk because some services still can
> be attacked, because they are linked and using a different SSL library.
>
> A first good step, as you already wrote, will be to drop NSS because
> it's simple to do and as I can see on your git branch, has been done.
>
> Currently we are not able to drop polarssl, because PDNS requires it as
> only supported SSL implementation. Hopefully this will be changed by the
> developers at a later time.
>
> Stefan
>
> > Well, it is simple. I made a branch and removed nss in that:
> >
> > http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/remove-nss
> >
> > We could merge the branch, if we decide to go into that direction.
> >
> > -Michael
> >
> > On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
> >> Hi,
> >> as long as it is "that simple" I agree with you. We should try to
> >> reduce overhead as much as possbile an concentrate on things which are
> >> more important.
> >>
> >> Ben
> >>
> >> 2013/2/10 Michael Tremer <michael.tremer(a)ipfire.org>:
> >>> Hello,
> >>>
> >>> I think it is time to discuss a thing, that has been stuck in my head
> >>> for some time now: We have too many SSL implementations in the system.
> >>> And as we are already discussion what we can remove from the
> >>> distribution (Xen), I'd like to think about the SSL libraries.
> >>>
> >>> IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all
> >>> basically implement the same protocols, but they differ a bit in their
> >>> interfaces, so a lot of projects prefer the one or an other.
> >>>
> >>> When we had the Lucky Thirteen problem last week, I had to patch all
> >>> four libraries. That's redundant work and I don't see any sense in that.
> >>> I even see this as a security issue, because it is not easy to keep
> >>> track of security issues in all libraries.
> >>>
> >>> I would like to think about how we can get rid of some of these
> >>> libraries:
> >>>
> >>> * openssl
> >>> We cannot get rid of this one because openssl is widely used and I
> >>> tend to think that it is the de-facto standard library.
> >>> A bit of a problem is the GPL-incompatible license.
> >>>
> >>> * GnuTLS
> >>> This is a much better choice in terms of licenses and GnuTLS is
> >>> also widely used. I'd like to keep it.
> >>>
> >>> * nss
> >>> The reason we have this is that RedHat started to move a lot of
> >>> their own software to it because nss is FIPS certified. However,
> >>> this certification is not important to us at this point in time
> >>> and nss is only used by glibc, apr-util and curl. All of them could
> >>> be compiler either without nss or with an other SSL library.
> >>>
> >>> * polarssl
> >>> This library came into the distribution very recently and is used
> >>> by the authoritative powerdns server. As far as I am aware, powerdns
> >>> cannot use any other library.
> >>>
> >>> Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and
> >>> polarssl. But nss looks like a candidate for me. Opinions?
> >>>
> >>> -Michael
> >>>
> >>> _______________________________________________
> >>> Development mailing list
> >>> Development(a)lists.ipfire.org
> >>> http://lists.ipfire.org/mailman/listinfo/development
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
next prev parent reply other threads:[~2013-02-11 19:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-10 18:27 Michael Tremer
2013-02-11 7:25 ` Benjamin Schweikert
2013-02-11 10:33 ` Michael Tremer
2013-02-11 17:41 ` Stefan Schantl
2013-02-11 19:00 ` Michael Tremer [this message]
2013-02-11 20:41 ` R. W. Rodolico
2013-02-12 19:39 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1360609201.28061.127.camel@rice-oxley.tremer.info \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox