Should we settle on one SSL implementation?
Steve Grubb
sgrubb at redhat.com
Mon Oct 22 15:14:41 UTC 2007
On Monday 22 October 2007 08:17:01 Bernardo Innocenti wrote:
> It would seem a worthwhile goal to unify SSL/TLS
> implementations like we did for spell checkers.
Yes, we agree.
> We're now shipping no less than 4 different implementations
> of SSL:
>
> - openssl (OpenBSD's implementation)
> - nss (Netscape's implementation)
> - gnutls (LGPL implementation)
> - puretls (Java implementation)
There's actually more crypto than that.
> But which one should replace the others?
Please see an email I sent back in August on this topic.
https://www.redhat.com/archives/fedora-devel-list/2007-August/msg01594.html
I out line the reasons for the choice of NSS.
> It is not clear to me. Judging from dependencies, OpenSSL,
> NSS and gnutls all seem equally popular in Fedora.
Yep.
> If we are to believe a non-independent comparison, gnutls
> looks like the best choice
But you are ignoring the fact that gnutls has never been through a FIPS-140-2
certification and they are very expensive. These certifications find many
bugs that would otherwise go unnoticed as well and require certain control
interfaces be developed.
-Steve
More information about the fedora-devel-list
mailing list