Bernd Zeimetz <be...@bzed.de> writes: > On 11/21/2016 03:35 AM, Clint Adams wrote: >> On Sun, Nov 20, 2016 at 01:57:52PM +0100, Marco d'Itri wrote:
>>> I do not think that anybody has been considering GnuTLS as a credible >>> replacement for a very long time. >> That's very silly. > No, its the truth unfortunately. It's a ton of work to maintain a high-quality SSL implementation. Even apart from the multitude of security issues that constantly arise, you have to deal with interoperability with a bunch of half-assed, semi-broken SSL implementations in the wild. It needs resources, and the GnuTLS development team doesn't seem to have those resources (and hasn't for a while). This in turn makes it hard to persuade upstreams to even consider it, since they're usually very worried about interopability (and GnuTLS has a spotty track record there). It also really hurts for GnuTLS to have a completely different API, whatever the merits of that API over OpenSSL's. (The OpenSSL compatibility layer is missing so much that it's not really usable. For instance, it offers no way to set cipher suite preferences at all and disables TLSv1.1 and newer, at least as far as I was able to determine from looking at the code while trying to solve another reported bug.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
