Joe Orton wrote:
On Wed, Aug 22, 2007 at 05:51:20PM -0700, Robert Relyea wrote:Steve Grubb wrote:I wanted to announce a new Fedora Project that will span several distro releases and outline the reasons why we are starting this project. I believe this issue affects the whole Open Source Community. But don't think anyone has explained all the issues. We're looking for people interested in enabling NSS in their packages and feeding the changes upstream.A list of packages that need to be looked at can now be found at: https://fedoraproject.org/wiki/CryptoConsolidationScorecardSwitching OpenLDAP to use NSS may be painful because of the exposure of the SSL_CTX * in the API via LDAP_OPT_X_TLS_CTX, though I don't know how widely that is used. Would it be less painful to switch from OpenLDAP to the Mozilla LDAP toolkit (now part of the FDS?) at the same time?I'm not sure what part mod_nss plays in this plan - it is not a substitute for mod_ssl. Doing this properly means porting mod_ssl upstream to use NSS and supporting existing configurations on that platform, as we've discussed off-line before. (same thing applies to subversion with neon)
I'm not sure what you mean by mod_nss not being a substitute for mod_ssl. It is a derivation of it and there are few differences. It is fairly straightforward to convert a mod_ssl configuration to mod_nss.
What may be better in the long-run, and I'm not sure if this is what you are suggesting, would be to completely rewrite mod_ssl and abstract out the SSL calls completely (ala libcurl). Then any SSL provider (GNUtls, OpenSSL, NSS, etc) could write a backend for it. This would be quite a large job though. And there would likely still be implementation-specific options (such as verifydepth).
Description: S/MIME Cryptographic Signature