On 2012-11-11 17:20, Reindl Harald wrote:
> Am 12.11.2012 02:11, schrieb Daniel L. Miller: > >> On 11/6/2012 12:30 PM, Timo Sirainen wrote: >> >>> On 6.11.2012, at 17.26, Ed W wrote: >>> >>>> On 05/11/2012 23:22, Timo Sirainen wrote: >>>> >>>>> On Mon, 2012-11-05 at 23:40 +0200, Timo Sirainen wrote: This also provides a nice abstraction to OpenSSL, making it again possible to implement other backends like GnuTLS or NSS. (Except login process code doesn't use lib-ssl-iostream yet.) >>>> Does libtomcrypt implement enough? >>> It doesn't do SSL, which is all Dovecot cares about. >> Can the GnuTLS OpenSSL compatibility layer be used safely? > > where is the problem with openssl? I don't know what the problem is - I just know that I've heard from a number of developers (including the Postfix & Dovecot developers) that they don't like OpenSSL - but while GnuTLS looks interesting they aren't interested in working on the interface - though they're willing to accept patches. (My full apologies right now if Timo or Wietse are offended by my speaking out of turn). I'm no security expert, but I do know that OpenSSL has had issues with version compatiblity. I had a very troubled time during an OpenSSL/Postfix upgrade that left me non-functional until I found the exact version pairings required. The tiny bit of Googling I've done tells me GnuTLS seems to be a more standards-compliant implementation, and MAY be "safer" than OpenSSL. However, as OpenSSL is the de-facto standard used by most Linux programs, acceptance of GnuTLS is quite limited. I've been intrigued by what I've read about it, and took a quick look at enabling support in Dovecot for GnuTLS directly - but while it didn't seem overly heavy at first glance the fact that Timo doesn't want to do it tells me I'm underestimating the complexity. -- Daniel
