[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?



On Tue, Oct 23, 2007 at 10:22:06AM -0700, Robert Relyea wrote:
> Another area that's a real problem is certificate validation. gnutls 
> itself doe not do certificate validation (that's left to other 
> packages), openssl provided helper functions and pushes everything else 
> on the client. That means support for Crl's, OCSP, and PKIX would need 
> to be added to each an every application. With NSS, there is a single 
> call to validate certificates, and support for OCSP and CRL's come 
> automatically. Most of the conversions have simplified cert processing 
> in the NSS side.

That's rather misleading. I've implemented SSL support in 3 apps using GNU 
TLS and all of them had certificate validation done using the GNU TLS APIs,
including support for CRLs. Maybe NSS has more 'convenience' APIs for doing
cert validation in fewer API calls, but to claim GNU TLS  doesn't do any 
validation is just FUD.

Dan
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]