Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?

To: debian-devel@lists.debian.org
Subject: Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
From: Simon McVittie <smcv@debian.org>
Date: Fri, 12 Nov 2021 13:33:48 +0000
Message-id: <YY5tPHo8uA3ESx6/@momentum.pseudorandom.co.uk>
In-reply-to: <[🔎] 06baa160f4ace06bb5eb0d75016b2581de6ba206.camel@posteo.de>
References: <88941FAD-32B3-41FC-9FEC-22988C3751A9.ref@compuserve.com> <[🔎] 88941FAD-32B3-41FC-9FEC-22988C3751A9@compuserve.com> <[🔎] 06baa160f4ace06bb5eb0d75016b2581de6ba206.camel@posteo.de>

On Fri, 12 Nov 2021 at 12:03:53 +0000, Stephan Verbücheln wrote:
> My impression is that web based projects lean towards OpenSSL, while
> for example the whole GTK/Gnome desktop stack is using GnuTLS (with
> nettle/hogweed). So you will not get rid of either crypto stack.

I believe the reason why GNOME-adjacent projects generally prefer
GnuTLS is that GNOME's conventional license is LGPL (or sometimes GPL),
resulting in licensing conflicts between the (L)GPL's copyleft and the
OpenSSL 1.x license's advertising clause.

For permissively-licensed (non-copyleft) projects, OpenSSL's licensing
is less of a barrier, and a lot of web projects are permissively-licensed,
so it's unsurprising if they lean towards OpenSSL.

In principle, GTK applications that require TLS should all or nearly
all be using the TLS abstractions available in GLib since around 2011
(such as GTlsConnection), which get their implementation from plugins
rather than directly from GLib, so that distributions that feel strongly
about this sort of thing can use their preferred implementation without
having to patch GLib.

The usual TLS plugins for GLib come from GNOME's glib-networking, which
has both GnuTLS and OpenSSL backends (although I believe the OpenSSL
backend is still considered experimental, and we don't compile it in
Debian). Third-party plugins are also possible, but I don't think we
have any in Debian.

In practice, I'm sure some GNOME and GNOME-adjacent applications use
GnuTLS, OpenSSL and/or NSS directly, either because they need finer
control over TLS behaviour or because they are older than 2011 and never
got converted to use GLib's TLS abstractions.

> An then there is NSS by Mozilla, and there is also libgcrypt, which is
> the basis of GnuPG. To my knowledge, it does not even share core
> routines with GnuTLS.

My understanding is that libgcrypt is a low-level crypto library
comparable to nettle/hogweed and OpenSSL's libcrypto, whereas GnuTLS
is a higher-level TLS library comparable to OpenSSL's libssl.

GnuTLS 2.x used libgcrypt, which it shared with GnuPG. GnuTLS 3.x uses
nettle/hogweed instead.

    smcv

Reply to:

References:
- Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
  - From: Alexander Traud <pabstraud@compuserve.com>
- Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
  - From: Stephan Verbücheln <verbuecheln@posteo.de>

Prev by Date: Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
Next by Date: Bug#999559: ITP: python-django-parler -- Django model translations (Python3 version)
Previous by thread: Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
Next by thread: Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
Index(es):
- Date
- Thread