From: Benjamin Schweikert <b.schweikert@googlemail.com>
To: development@lists.ipfire.org
Subject: Re: Multiple SSL implementations
Date: Mon, 11 Feb 2013 08:25:41 +0100 [thread overview]
Message-ID: <CAEVn7dkZ8AZzPb1F4FL6S29OmpgtC-ORFRsSkRDvJFe3s-Jjkg@mail.gmail.com> (raw)
In-Reply-To: <1360520875.28061.99.camel@rice-oxley.tremer.info>
[-- Attachment #1: Type: text/plain, Size: 2238 bytes --]
Hi,
as long as it is "that simple" I agree with you. We should try to
reduce overhead as much as possbile an concentrate on things which are
more important.
Ben
2013/2/10 Michael Tremer <michael.tremer(a)ipfire.org>:
> Hello,
>
> I think it is time to discuss a thing, that has been stuck in my head
> for some time now: We have too many SSL implementations in the system.
> And as we are already discussion what we can remove from the
> distribution (Xen), I'd like to think about the SSL libraries.
>
> IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all
> basically implement the same protocols, but they differ a bit in their
> interfaces, so a lot of projects prefer the one or an other.
>
> When we had the Lucky Thirteen problem last week, I had to patch all
> four libraries. That's redundant work and I don't see any sense in that.
> I even see this as a security issue, because it is not easy to keep
> track of security issues in all libraries.
>
> I would like to think about how we can get rid of some of these
> libraries:
>
> * openssl
> We cannot get rid of this one because openssl is widely used and I
> tend to think that it is the de-facto standard library.
> A bit of a problem is the GPL-incompatible license.
>
> * GnuTLS
> This is a much better choice in terms of licenses and GnuTLS is
> also widely used. I'd like to keep it.
>
> * nss
> The reason we have this is that RedHat started to move a lot of
> their own software to it because nss is FIPS certified. However,
> this certification is not important to us at this point in time
> and nss is only used by glibc, apr-util and curl. All of them could
> be compiler either without nss or with an other SSL library.
>
> * polarssl
> This library came into the distribution very recently and is used
> by the authoritative powerdns server. As far as I am aware, powerdns
> cannot use any other library.
>
> Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and
> polarssl. But nss looks like a candidate for me. Opinions?
>
> -Michael
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
next prev parent reply other threads:[~2013-02-11 7:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-10 18:27 Michael Tremer
2013-02-11 7:25 ` Benjamin Schweikert [this message]
2013-02-11 10:33 ` Michael Tremer
2013-02-11 17:41 ` Stefan Schantl
2013-02-11 19:00 ` Michael Tremer
2013-02-11 20:41 ` R. W. Rodolico
2013-02-12 19:39 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEVn7dkZ8AZzPb1F4FL6S29OmpgtC-ORFRsSkRDvJFe3s-Jjkg@mail.gmail.com \
--to=b.schweikert@googlemail.com \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox