Re: Multiple SSL implementations

[Stefan Schantl <stefan.schantl@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3884 bytes --]

Hello Michael, Hello Ben,

you are right there are a lot of different SSL implementations out there 
which are probably doing the same stuff. And of course I totally agree 
with you that the currently 4 included implementations are to much.

To reduce overhead and "pre-designed" troubles on fixed security holes 
on some implementations, because patches to fix them are available - but 
for a second or third implementation they are not fixable because of a 
missing patchset.

This result in a potential security risk because some services still can 
be attacked, because they are linked and using a different SSL library.

A first good step, as you already wrote, will be to drop NSS because 
it's simple to do and as I can see on your git branch, has been done.

Currently we are not able to drop polarssl, because PDNS requires it as 
only supported SSL implementation. Hopefully this will be changed by the 
developers at a later time.

Stefan

> Well, it is simple. I made a branch and removed nss in that:
>
> http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/remove-nss
>
> We could merge the branch, if we decide to go into that direction.
>
> -Michael
>
> On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
>> Hi,
>> as long as it is "that simple" I agree with you. We should try to
>> reduce overhead as much as possbile an concentrate on things which are
>> more important.
>>
>> Ben
>>
>> 2013/2/10 Michael Tremer <michael.tremer(a)ipfire.org>:
>>> Hello,
>>>
>>> I think it is time to discuss a thing, that has been stuck in my head
>>> for some time now: We have too many SSL implementations in the system.
>>> And as we are already discussion what we can remove from the
>>> distribution (Xen), I'd like to think about the SSL libraries.
>>>
>>> IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all
>>> basically implement the same protocols, but they differ a bit in their
>>> interfaces, so a lot of projects prefer the one or an other.
>>>
>>> When we had the Lucky Thirteen problem last week, I had to patch all
>>> four libraries. That's redundant work and I don't see any sense in that.
>>> I even see this as a security issue, because it is not easy to keep
>>> track of security issues in all libraries.
>>>
>>> I would like to think about how we can get rid of some of these
>>> libraries:
>>>
>>> * openssl
>>>    We cannot get rid of this one because openssl is widely used and I
>>>    tend to think that it is the de-facto standard library.
>>>    A bit of a problem is the GPL-incompatible license.
>>>
>>> * GnuTLS
>>>    This is a much better choice in terms of licenses and GnuTLS is
>>>    also widely used. I'd like to keep it.
>>>
>>> * nss
>>>    The reason we have this is that RedHat started to move a lot of
>>>    their own software to it because nss is FIPS certified. However,
>>>    this certification is not important to us at this point in time
>>>    and nss is only used by glibc, apr-util and curl. All of them could
>>>    be compiler either without nss or with an other SSL library.
>>>
>>> * polarssl
>>>    This library came into the distribution very recently and is used
>>>    by the authoritative powerdns server. As far as I am aware, powerdns
>>>    cannot use any other library.
>>>
>>> Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and
>>> polarssl. But nss looks like a candidate for me. Opinions?
>>>
>>> -Michael
>>>
>>> _______________________________________________
>>> Development mailing list
>>> Development(a)lists.ipfire.org
>>> http://lists.ipfire.org/mailman/listinfo/development
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development