Re: Crypto Libs: Linking to OpenSSL, GnuTLS, NSS, ..?

[Russ Allbery <rra@debian.org>]

Alexander Traud <pabstraud@compuserve.com> writes:

> Debian is very much OpenSSL. However, I see some packages default to
> GnuTLS or even NSS without providing OpenSSL, although their source
> project supports it.

Historically, use of GnuTLS was mostly because of licensing restrictions
because OpenSSL was incompatible with GPL-licensed code.  Now, OpenSSL is
compatible with GPL v3 and Debian has (with some controversy) adopted a
policy of treating it like a system library even for GPL v2 code, so at
least some of the GnuTLS usage has switched to OpenSSL.

> Question(s): Is there a recommendation/guideline/policy that package
> maintainers should prefer a specific crypto library (OpenSSL?) if they
> cannot support all of them? If not, is there an argumentation aid to
> convince package maintainers.

I don't believe there is a policy.

In practice, I believe OpenSSL tends to be more interoperable and
better-tested upstream than GnuTLS.  There have been long-standing
problems with GnuTLS not handling weird corner cases or bugs in other
libraries.  Some of these do get fixed over time, but that's still my
general impression.

Also, if a software package was written to use OpenSSL, the OpenSSL
compatibility layer in GnuTLS is very limited (I say this as someone who
tried to use it for a package for several years) and tends to cause a lot
of problems.

NSS probably doesn't have the same interoperability problems.  I
personally have no opinions about using it.  (Didn't Red Hat attempt to
standardize on NSS a while back?  I feel like that didn't work and they
stopped that effort, but some quick searching didn't uncover any support
for that belief.)

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>