Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
* openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
* GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
* nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
* polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Hi, as long as it is "that simple" I agree with you. We should try to reduce overhead as much as possbile an concentrate on things which are more important.
Ben
2013/2/10 Michael Tremer michael.tremer@ipfire.org:
Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Well, it is simple. I made a branch and removed nss in that:
http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/re...
We could merge the branch, if we decide to go into that direction.
-Michael
On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
Hi, as long as it is "that simple" I agree with you. We should try to reduce overhead as much as possbile an concentrate on things which are more important.
Ben
2013/2/10 Michael Tremer michael.tremer@ipfire.org:
Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Hello Michael, Hello Ben,
you are right there are a lot of different SSL implementations out there which are probably doing the same stuff. And of course I totally agree with you that the currently 4 included implementations are to much.
To reduce overhead and "pre-designed" troubles on fixed security holes on some implementations, because patches to fix them are available - but for a second or third implementation they are not fixable because of a missing patchset.
This result in a potential security risk because some services still can be attacked, because they are linked and using a different SSL library.
A first good step, as you already wrote, will be to drop NSS because it's simple to do and as I can see on your git branch, has been done.
Currently we are not able to drop polarssl, because PDNS requires it as only supported SSL implementation. Hopefully this will be changed by the developers at a later time.
Stefan
Well, it is simple. I made a branch and removed nss in that:
http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/re...
We could merge the branch, if we decide to go into that direction.
-Michael
On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
Hi, as long as it is "that simple" I agree with you. We should try to reduce overhead as much as possbile an concentrate on things which are more important.
Ben
2013/2/10 Michael Tremer michael.tremer@ipfire.org:
Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
I'll count this as a +1.
On Mon, 2013-02-11 at 18:41 +0100, Stefan Schantl wrote:
Hello Michael, Hello Ben,
you are right there are a lot of different SSL implementations out there which are probably doing the same stuff. And of course I totally agree with you that the currently 4 included implementations are to much.
To reduce overhead and "pre-designed" troubles on fixed security holes on some implementations, because patches to fix them are available - but for a second or third implementation they are not fixable because of a missing patchset.
This result in a potential security risk because some services still can be attacked, because they are linked and using a different SSL library.
A first good step, as you already wrote, will be to drop NSS because it's simple to do and as I can see on your git branch, has been done.
Currently we are not able to drop polarssl, because PDNS requires it as only supported SSL implementation. Hopefully this will be changed by the developers at a later time.
Stefan
Well, it is simple. I made a branch and removed nss in that:
http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/re...
We could merge the branch, if we decide to go into that direction.
-Michael
On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
Hi, as long as it is "that simple" I agree with you. We should try to reduce overhead as much as possbile an concentrate on things which are more important.
Ben
2013/2/10 Michael Tremer michael.tremer@ipfire.org:
Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
I don't really have much involvement in this, but anytime you can simplify you're ahead.
Rod
On 02/11/2013 04:33 AM, Michael Tremer wrote:
Well, it is simple. I made a branch and removed nss in that:
http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/re...
We could merge the branch, if we decide to go into that direction.
-Michael
On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
Hi, as long as it is "that simple" I agree with you. We should try to reduce overhead as much as possbile an concentrate on things which are more important.
Ben
2013/2/10 Michael Tremer michael.tremer@ipfire.org:
Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Thanks for your opinions. I just merged the branch I posted earlier into the main repository.
Case closed.
-Michael
On Mon, 2013-02-11 at 14:41 -0600, R. W. Rodolico wrote:
I don't really have much involvement in this, but anytime you can simplify you're ahead.
Rod
On 02/11/2013 04:33 AM, Michael Tremer wrote:
Well, it is simple. I made a branch and removed nss in that:
http://git.ipfire.org/?p=people/ms/ipfire-3.x.git;a=shortlog;h=refs/heads/re...
We could merge the branch, if we decide to go into that direction.
-Michael
On Mon, 2013-02-11 at 08:25 +0100, Benjamin Schweikert wrote:
Hi, as long as it is "that simple" I agree with you. We should try to reduce overhead as much as possbile an concentrate on things which are more important.
Ben
2013/2/10 Michael Tremer michael.tremer@ipfire.org:
Hello,
I think it is time to discuss a thing, that has been stuck in my head for some time now: We have too many SSL implementations in the system. And as we are already discussion what we can remove from the distribution (Xen), I'd like to think about the SSL libraries.
IPFire 3 comes with openssl, GnuTLS, nss and polarssl. They all basically implement the same protocols, but they differ a bit in their interfaces, so a lot of projects prefer the one or an other.
When we had the Lucky Thirteen problem last week, I had to patch all four libraries. That's redundant work and I don't see any sense in that. I even see this as a security issue, because it is not easy to keep track of security issues in all libraries.
I would like to think about how we can get rid of some of these libraries:
openssl We cannot get rid of this one because openssl is widely used and I tend to think that it is the de-facto standard library. A bit of a problem is the GPL-incompatible license.
GnuTLS This is a much better choice in terms of licenses and GnuTLS is also widely used. I'd like to keep it.
nss The reason we have this is that RedHat started to move a lot of their own software to it because nss is FIPS certified. However, this certification is not important to us at this point in time and nss is only used by glibc, apr-util and curl. All of them could be compiler either without nss or with an other SSL library.
polarssl This library came into the distribution very recently and is used by the authoritative powerdns server. As far as I am aware, powerdns cannot use any other library.
Conclusively, we can't (or don't want) to get rid of openssl, GnuTLS and polarssl. But nss looks like a candidate for me. Opinions?
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
-
Benjamin Schweikert -
Michael Tremer -
R. W. Rodolico -
Stefan Schantl