Russ Allbery wrote:
Andrew Bartlettabartlet@samba.org writes:
On Sat, 2008-02-16 at 14:44 -0800, Russ Allbery wrote:
There are enough other reasons to use already-packaged software and enough reasons to use Debian in preference to other distributions (for what we're doing at Stanford; I'm not interested in discussing that position with anyone on this list) that it was worth helping fund the development of the GnuTLS support. That support basically works, recommended or not, which is a better place than we were in before. I can only hope that it will get better in the future, or that some miracle will happen with either OpenSSL licensing or Debian's legal interpretation of copyright, none of which I have any real control over.
What would it take to create a third way here with Mozilla's NSS?
For my sanity in Samba4, I keep bugging those involved with NSS and nss_compat_ossl to create a gnutls-like API to NSS. Some aspects of the API I like, while other aspects of the GnuTLS implementation drive me nuts - such as draining and blocking on /dev/random...
I pointed out a number of problems in the GnuTLS design last year when I started the port. I stated back then that it was ill-advised, given the library's overall design and maturity. Oh well.
Development of a port to GnuTLS required changes on both sides, but wasn't particularly expensive.
It still leaves something to be desired, like better cipher suite APIs, etc..
I expect that a port to Mozilla's NSS wouldn't be too much more difficult, although of course Howard would be the person to ask for an estimate.
I would think there are other developers here who are familiar with Mozilla NSS and can read the code in libldap/tls.c. It's certainly not high on my list at the moment since OpenSSL works for me. One thing that I find rather annoying about NSS is its use of a private certificate/keystore that requires additional tools to manipulate.