Should we settle on one SSL implementation?

Steve Grubb sgrubb at redhat.com
Mon Oct 22 15:14:41 UTC 2007


On Monday 22 October 2007 08:17:01 Bernardo Innocenti wrote:
> It would seem a worthwhile goal to unify SSL/TLS
> implementations like we did for spell checkers.

Yes, we agree.

> We're now shipping no less than 4 different implementations
> of SSL:
>
>  - openssl (OpenBSD's implementation)
>  - nss (Netscape's implementation)
>  - gnutls (LGPL implementation)
>  - puretls (Java implementation)

There's actually more crypto than that. 


> But which one should replace the others?

Please see an email I sent back in August on this topic. 

https://www.redhat.com/archives/fedora-devel-list/2007-August/msg01594.html

I out line the reasons for the choice of NSS.


> It is not clear to me.  Judging from dependencies, OpenSSL,
> NSS and gnutls all seem equally popular in Fedora.

Yep.

> If we are to believe a non-independent comparison, gnutls
> looks like the best choice

But you are ignoring the fact that gnutls has never been through a FIPS-140-2 
certification and they are very expensive. These certifications find many 
bugs that would otherwise go unnoticed as well and require certain control 
interfaces be developed.

-Steve




More information about the fedora-devel-list mailing list