Re: GnuTLS considered harmful
Howard Chu wrote:
Russ Allbery wrote:
> I expect that a port to Mozilla's NSS wouldn't be
> too much more difficult, although of course Howard would be the person to
> ask for an estimate.
I would think there are other developers here who are familiar with
Mozilla NSS and can read the code in libldap/tls.c. It's certainly not
high on my list at the moment since OpenSSL works for me. One thing that
I find rather annoying about NSS is its use of a private
certificate/keystore that requires additional tools to manipulate.
Well, using Mozilla NSS and its certificate database would have
pros and cons. One pro would be that LDAP clients could make use
of the certificate database, e.g. containing client certs/keys,
already maintained by one of the Mozilla GUI client products (e.g.
Seamonkey). Similar how OpenOffice uses the Mozilla cert database
out-of-the box.
What I find annoying with OpenSSL is that IIRC there is no
separate cert store for intermediate CA certs which are not a
trust anchor. So the server has to be configured to always send
the intermediate CA certs during SSL connect. Would have to
examine this a little bit closer though. Using the NSS cert
database together with certutil maintaing trust flags for certain
cert usage is more powerful in this regard.
I cannot tell how active the development of OpenSSL and Mozilla
NSS are compared to each other.
Ciao, Michael.