Re: Multiple SSL implementations

From: "R. W. Rodolico" <rodo@dailydata.net>
To: development@lists.ipfire.org
Subject: Re: Multiple SSL implementations
Date: Mon, 11 Feb 2013 14:41:11 -0600	[thread overview]
Message-ID: <assp.0754563f7c.51195767.2040702@dailydata.net> (raw)
In-Reply-To: <1360578815.28061.105.camel@rice-oxley.tremer.info>

[-- Attachment #1: Type: text/plain, Size: 3177 bytes --]

I don't really have much involvement in this, but anytime you can
simplify you're ahead.

Rod

On 02/11/2013 04:33 AM, Michael Tremer wrote:
> Well, it is simple. I made a branch and removed nss in that:
> 
> http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/remove-nss
> 
> We could merge the branch, if we decide to go into that direction.
> 
> -Michael
> 
> On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
>> Hi,
>> as long as it is "that simple" I agree with you. We should try to
>> reduce overhead as much as possbile an concentrate on things which are
>> more important.
>>
>> Ben
>>
>> 2013/2/10 Michael Tremer <michael.tremer(a)ipfire.org>:
>>> Hello,
>>>
>>> I think it is time to discuss a thing, that has been stuck in my head
>>> for some time now: We have too many SSL implementations in the system.
>>> And as we are already discussion what we can remove from the
>>> distribution (Xen), I'd like to think about the SSL libraries.
>>>
>>> IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all
>>> basically implement the same protocols, but they differ a bit in their
>>> interfaces, so a lot of projects prefer the one or an other.
>>>
>>> When we had the Lucky Thirteen problem last week, I had to patch all
>>> four libraries. That's redundant work and I don't see any sense in that.
>>> I even see this as a security issue, because it is not easy to keep
>>> track of security issues in all libraries.
>>>
>>> I would like to think about how we can get rid of some of these
>>> libraries:
>>>
>>> * openssl
>>>   We cannot get rid of this one because openssl is widely used and I
>>>   tend to think that it is the de-facto standard library.
>>>   A bit of a problem is the GPL-incompatible license.
>>>
>>> * GnuTLS
>>>   This is a much better choice in terms of licenses and GnuTLS is
>>>   also widely used. I'd like to keep it.
>>>
>>> * nss
>>>   The reason we have this is that RedHat started to move a lot of
>>>   their own software to it because nss is FIPS certified. However,
>>>   this certification is not important to us at this point in time
>>>   and nss is only used by glibc, apr-util and curl. All of them could
>>>   be compiler either without nss or with an other SSL library.
>>>
>>> * polarssl
>>>   This library came into the distribution very recently and is used
>>>   by the authoritative powerdns server. As far as I am aware, powerdns
>>>   cannot use any other library.
>>>
>>> Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and
>>> polarssl. But nss looks like a candidate for me. Opinions?
>>>
>>> -Michael
>>>
>>> _______________________________________________
>>> Development mailing list
>>> Development(a)lists.ipfire.org
>>> http://lists.ipfire.org/mailman/listinfo/development
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
> 

-- 
R. W. "Rod" Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
http://www.dailydata.net
214.827.2170

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: rodo.vcf --]
[-- Type: text/x-vcard, Size: 233 bytes --]

begin:vcard
fn:R. W. Rodolico
n:Rodolico;R. W.
org:Daily Data, Inc.
adr:;;POB 140465;Dallas;TX;75214-0465;US
email;internet:rodo@dailydata.net
title:President
tel;work:214.827.2170
url:http://www.dailydata.net
version:2.1
end:vcard