[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?



Daniel P. Berrange wrote:
On Tue, Oct 23, 2007 at 10:22:06AM -0700, Robert Relyea wrote:
Another area that's a real problem is certificate validation. gnutls itself doe not do certificate validation (that's left to other packages), openssl provided helper functions and pushes everything else on the client. That means support for Crl's, OCSP, and PKIX would need to be added to each an every application. With NSS, there is a single call to validate certificates, and support for OCSP and CRL's come automatically. Most of the conversions have simplified cert processing in the NSS side.

That's rather misleading. I've implemented SSL support in 3 apps using GNU TLS and all of them had certificate validation done using the GNU TLS APIs,
including support for CRLs. Maybe NSS has more 'convenience' APIs for doing
cert validation in fewer API calls, but to claim GNU TLS doesn't do any validation is just FUD.
My understanding was there was another package for certificate and der processing. If gnu tls uses single api (or a small set of API's) for certificate processing, then it will make the conversion tools for gnu tls much easier.

In general gnu tls does have better api separate than openssl. The issue gnu tls applications would have is if the call into libgcrypt directly.

bob
Dan

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]