Re: Multiple SSL implementations

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Multiple SSL implementations
Date: Tue, 12 Feb 2013 20:39:07 +0100	[thread overview]
Message-ID: <1360697947.28061.151.camel@rice-oxley.tremer.info> (raw)
In-Reply-To: <assp.0754563f7c.51195767.2040702@dailydata.net>

[-- Attachment #1: Type: text/plain, Size: 3569 bytes --]

Thanks for your opinions. I just merged the branch I posted earlier into
the main repository.

Case closed.

-Michael

On Mon, 2013-02-11 at 14:41 -0600, R. W. Rodolico wrote:
> I don't really have much involvement in this, but anytime you can
> simplify you're ahead.
> 
> Rod
> 
> On 02/11/2013 04:33 AM, Michael Tremer wrote:
> > Well, it is simple. I made a branch and removed nss in that:
> > 
> > http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/remove-nss
> > 
> > We could merge the branch, if we decide to go into that direction.
> > 
> > -Michael
> > 
> > On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
> >> Hi,
> >> as long as it is "that simple" I agree with you. We should try to
> >> reduce overhead as much as possbile an concentrate on things which are
> >> more important.
> >>
> >> Ben
> >>
> >> 2013/2/10 Michael Tremer <michael.tremer(a)ipfire.org>:
> >>> Hello,
> >>>
> >>> I think it is time to discuss a thing, that has been stuck in my head
> >>> for some time now: We have too many SSL implementations in the system.
> >>> And as we are already discussion what we can remove from the
> >>> distribution (Xen), I'd like to think about the SSL libraries.
> >>>
> >>> IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all
> >>> basically implement the same protocols, but they differ a bit in their
> >>> interfaces, so a lot of projects prefer the one or an other.
> >>>
> >>> When we had the Lucky Thirteen problem last week, I had to patch all
> >>> four libraries. That's redundant work and I don't see any sense in that.
> >>> I even see this as a security issue, because it is not easy to keep
> >>> track of security issues in all libraries.
> >>>
> >>> I would like to think about how we can get rid of some of these
> >>> libraries:
> >>>
> >>> * openssl
> >>>   We cannot get rid of this one because openssl is widely used and I
> >>>   tend to think that it is the de-facto standard library.
> >>>   A bit of a problem is the GPL-incompatible license.
> >>>
> >>> * GnuTLS
> >>>   This is a much better choice in terms of licenses and GnuTLS is
> >>>   also widely used. I'd like to keep it.
> >>>
> >>> * nss
> >>>   The reason we have this is that RedHat started to move a lot of
> >>>   their own software to it because nss is FIPS certified. However,
> >>>   this certification is not important to us at this point in time
> >>>   and nss is only used by glibc, apr-util and curl. All of them could
> >>>   be compiler either without nss or with an other SSL library.
> >>>
> >>> * polarssl
> >>>   This library came into the distribution very recently and is used
> >>>   by the authoritative powerdns server. As far as I am aware, powerdns
> >>>   cannot use any other library.
> >>>
> >>> Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and
> >>> polarssl. But nss looks like a candidate for me. Opinions?
> >>>
> >>> -Michael
> >>>
> >>> _______________________________________________
> >>> Development mailing list
> >>> Development(a)lists.ipfire.org
> >>> http://lists.ipfire.org/mailman/listinfo/development
> > 
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> > 
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development