Re: OpenSSL 1.1.0
Bernd Zeimetz <bernd@bzed.de> writes:
> On 11/21/2016 03:35 AM, Clint Adams wrote:
>> On Sun, Nov 20, 2016 at 01:57:52PM +0100, Marco d'Itri wrote:
>>> I do not think that anybody has been considering GnuTLS as a credible
>>> replacement for a very long time.
>> That's very silly.
> No, its the truth unfortunately.
It's a ton of work to maintain a high-quality SSL implementation. Even
apart from the multitude of security issues that constantly arise, you
have to deal with interoperability with a bunch of half-assed, semi-broken
SSL implementations in the wild. It needs resources, and the GnuTLS
development team doesn't seem to have those resources (and hasn't for a
while). This in turn makes it hard to persuade upstreams to even consider
it, since they're usually very worried about interopability (and GnuTLS
has a spotty track record there).
It also really hurts for GnuTLS to have a completely different API,
whatever the merits of that API over OpenSSL's. (The OpenSSL
compatibility layer is missing so much that it's not really usable. For
instance, it offers no way to set cipher suite preferences at all and
disables TLSv1.1 and newer, at least as far as I was able to determine
from looking at the code while trying to solve another reported bug.)
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: