From mboxrd@z Thu Jan 1 00:00:00 1970 From: "R. W. Rodolico" To: development@lists.ipfire.org Subject: Re: Multiple SSL implementations Date: Mon, 11 Feb 2013 14:41:11 -0600 Message-ID: In-Reply-To: <1360578815.28061.105.camel@rice-oxley.tremer.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2926650500525865177==" List-Id: --===============2926650500525865177== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I don't really have much involvement in this, but anytime you can simplify you're ahead. Rod On 02/11/2013 04:33 AM, Michael Tremer wrote: > Well, it is simple. I made a branch and removed nss in that: >=20 > http://git.ipfire.org/?p=3Dpeople/ms/ipfire-3.x.git;a=3Dshortlog;h=3Drefs/h= eads/remove-nss >=20 > We could merge the branch, if we decide to go into that direction. >=20 > -Michael >=20 > On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote: >> Hi, >> as long as it is "that simple" I agree with you. We should try to >> reduce overhead as much as possbile an concentrate on things which are >> more important. >> >> Ben >> >> 2013/2/10 Michael Tremer : >>> Hello, >>> >>> I think it is time to discuss a thing, that has been stuck in my head >>> for some time now: We have too many SSL implementations in the system. >>> And as we are already discussion what we can remove from the >>> distribution (Xen), I'd like to think about the SSL libraries. >>> >>> IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all >>> basically implement the same protocols, but they differ a bit in their >>> interfaces, so a lot of projects prefer the one or an other. >>> >>> When we had the Lucky Thirteen problem last week, I had to patch all >>> four libraries. That's redundant work and I don't see any sense in that. >>> I even see this as a security issue, because it is not easy to keep >>> track of security issues in all libraries. >>> >>> I would like to think about how we can get rid of some of these >>> libraries: >>> >>> * openssl >>> We cannot get rid of this one because openssl is widely used and I >>> tend to think that it is the de-facto standard library. >>> A bit of a problem is the GPL-incompatible license. >>> >>> * GnuTLS >>> This is a much better choice in terms of licenses and GnuTLS is >>> also widely used. I'd like to keep it. >>> >>> * nss >>> The reason we have this is that RedHat started to move a lot of >>> their own software to it because nss is FIPS certified. However, >>> this certification is not important to us at this point in time >>> and nss is only used by glibc, apr-util and curl. All of them could >>> be compiler either without nss or with an other SSL library. >>> >>> * polarssl >>> This library came into the distribution very recently and is used >>> by the authoritative powerdns server. As far as I am aware, powerdns >>> cannot use any other library. >>> >>> Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and >>> polarssl. But nss looks like a candidate for me. Opinions? >>> >>> -Michael >>> >>> _______________________________________________ >>> Development mailing list >>> Development(a)lists.ipfire.org >>> http://lists.ipfire.org/mailman/listinfo/development >=20 > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development >=20 --=20 R. W. "Rod" Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 http://www.dailydata.net 214.827.2170 --===============2926650500525865177== Content-Type: text/x-vcard Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="rodo.vcf" MIME-Version: 1.0 YmVnaW46dmNhcmQKZm46Ui4gVy4gUm9kb2xpY28KbjpSb2RvbGljbztSLiBXLgpvcmc6RGFpbHkg RGF0YSwgSW5jLgphZHI6OztQT0IgMTQwNDY1O0RhbGxhcztUWDs3NTIxNC0wNDY1O1VTCmVtYWls O2ludGVybmV0OnJvZG9AZGFpbHlkYXRhLm5ldAp0aXRsZTpQcmVzaWRlbnQKdGVsO3dvcms6MjE0 LjgyNy4yMTcwCnVybDpodHRwOi8vd3d3LmRhaWx5ZGF0YS5uZXQKdmVyc2lvbjoyLjEKZW5kOnZj YXJkCgo= --===============2926650500525865177==--