Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
Alexander Traud <pabstraud@compuserve.com> writes:
> Debian is very much OpenSSL. However, I see some packages default to
> GnuTLS or even NSS without providing OpenSSL, although their source
> project supports it.
Historically, use of GnuTLS was mostly because of licensing restrictions
because OpenSSL was incompatible with GPL-licensed code. Now, OpenSSL is
compatible with GPL v3 and Debian has (with some controversy) adopted a
policy of treating it like a system library even for GPL v2 code, so at
least some of the GnuTLS usage has switched to OpenSSL.
> Question(s): Is there a recommendation/guideline/policy that package
> maintainers should prefer a specific crypto library (OpenSSL?) if they
> cannot support all of them? If not, is there an argumentation aid to
> convince package maintainers.
I don't believe there is a policy.
In practice, I believe OpenSSL tends to be more interoperable and
better-tested upstream than GnuTLS. There have been long-standing
problems with GnuTLS not handling weird corner cases or bugs in other
libraries. Some of these do get fixed over time, but that's still my
general impression.
Also, if a software package was written to use OpenSSL, the OpenSSL
compatibility layer in GnuTLS is very limited (I say this as someone who
tried to use it for a package for several years) and tends to cause a lot
of problems.
NSS probably doesn't have the same interoperability problems. I
personally have no opinions about using it. (Didn't Red Hat attempt to
standardize on NSS a while back? I feel like that didn't work and they
stopped that effort, but some quick searching didn't uncover any support
for that belief.)
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to:
- Prev by Date:
Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
- Next by Date:
Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
- Previous by thread:
Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
- Next by thread:
Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?
- Index(es):