Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))
On Fri, May 31, 2013 at 4:42 AM, brian m. carlson
<sandals@crustytoothpaste.net> wrote:
> On Thu, May 30, 2013 at 04:04:47PM +0200, Bastien ROUCARIES wrote:
>> > Cons:
>> >
>> > - not all crypto libraries are equivalent; choosing one will exclude
>> > some functionality provided by others
>>
>> SEE compat layer
>> > - we somehow have to deal with legacy systems that can't convert
>> > - adoption of new software that uses something else is harder
>
> NSS does not support TLS 1.2. Since RC4 is not used securely in TLS,
> and the only other choice in TLS 1.1 and earlier is block ciphers with
> CBC, this means that there are no secure choices. I know the lack of
> TLS 1.2 support has caused customers of $DAYJOB endless heartache with
> regard to PCI compliance.
Not true anymore:
https://hg.mozilla.org/projects/nss/rev/5a9fa031aca5
Please open a debian bug
>
> NSS supports fewer algorithms than either OpenSSL or GnuTLS.
Please fill bug:
Gnutls is really crappy about suid
see http://lists.debian.org/debian-devel/2010/03/msg00298.html
See also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543941
And openssl has problem about license....
> --
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Reply to: