Russ Allbery wrote:
Andrew Bartlett<abartlet(a)samba.org> writes:
> On Sat, 2008-02-16 at 14:44 -0800, Russ Allbery wrote:
>> There are enough other reasons to use already-packaged software and
>> enough reasons to use Debian in preference to other distributions (for
>> what we're doing at Stanford; I'm not interested in discussing that
>> position with anyone on this list) that it was worth helping fund the
>> development of the GnuTLS support. That support basically works,
>> recommended or not, which is a better place than we were in before. I
>> can only hope that it will get better in the future, or that some
>> miracle will happen with either OpenSSL licensing or Debian's legal
>> interpretation of copyright, none of which I have any real control
> What would it take to create a third way here with Mozilla's NSS?
> For my sanity in Samba4, I keep bugging those involved with NSS and
> nss_compat_ossl to create a gnutls-like API to NSS. Some aspects of the
> API I like, while other aspects of the GnuTLS implementation drive me
> nuts - such as draining and blocking on /dev/random...
I pointed out a number of problems in the GnuTLS design last year when I
started the port. I stated back then that it was ill-advised, given the
library's overall design and maturity. Oh well.
Development of a port to GnuTLS required changes on both sides, but
It still leaves something to be desired, like better cipher suite APIs, etc..
I expect that a port to Mozilla's NSS wouldn't be
too much more difficult, although of course Howard would be the person to
ask for an estimate.
I would think there are other developers here who are familiar with Mozilla
NSS and can read the code in libldap/tls.c. It's certainly not high on my list
at the moment since OpenSSL works for me. One thing that I find rather
annoying about NSS is its use of a private certificate/keystore that requires
additional tools to manipulate.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/