On Thu, 2017-04-13 at 10:42 +0100, David Woodhouse wrote:
> On Thu, 2017-04-06 at 12:57 -0400, Stephen Gallagher wrote:
> > > > Also, wasn't there an issue with the OpenSSL's licensing and
> > > > GPL?
> > > > If it still is, could it affect any of the packages that are
> > > > now using
> > > > li
On Mon, Apr 10, 2017 at 03:52:32PM +0200, Kai Engert wrote:
> In my opinion, a little bit of space saving shouldn't be a sufficient
> argument for removing existing security functionality.
Space saving is nice, but that's not the real issue. It's a given that
all security libraries will have criti
Once upon a time, David Woodhouse said:
> I'm not sure what reasoning there was for switching to OpenSSL instead
> of GnuTLS...?
I think the general idea is to move things to what upstream considers
the "preferred" library. If you had all the relevant -devel packages
installed and ran configure
On Thursday, April 13, 2017 10:45:13 David Woodhouse wrote:
> On Mon, 2017-04-10 at 15:52 +0200, Kai Engert wrote:
> > On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote:
> > > Anyway, I guess we should move this discussion to some curl- or
> > > nss-related channel...
> >
> > The question rema
On Thu, 2017-04-13 at 11:57 +0200, Reindl Harald wrote:
>
> that for example we run 20 servers on top of Fedora from mail, web, sfp
> over fileservers, routers, firewalls and *none* of them has GnuTLS
> installed at all - even not the build and deployment machine?
Ah, OK. I thought it was more
On Mon, 2017-04-10 at 15:52 +0200, Kai Engert wrote:
> On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote:
> > Anyway, I guess we should move this discussion to some curl- or nss-related
> > channel...
>
> The question remains, if it makes sense to switch back to openssl, if the
> consequence i
On Thu, 2017-04-06 at 12:57 -0400, Stephen Gallagher wrote:
> > > Also, wasn't there an issue with the OpenSSL's licensing and GPL?
> > > If it still is, could it affect any of the packages that are now using
> > > libcurl?
> > There is this: https://www.openssl.org/blog/blog/2017/03/22/license/
W
On Friday, April 07, 2017 18:46:33 Kai Engert wrote:
> You convinced me, that it would be good to have test cases to demonstrate
> how nss/openssl/gnutls are behaving related to the distrust rules.
>
> I setup the following page, wich provides multiple test cases, and
> intructions how to test:
>
On 04/10/2017 03:52 PM, Kai Engert wrote:
On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote:
Anyway, I guess we should move this discussion to some curl- or nss-related
channel...
The question remains, if it makes sense to switch back to openssl, if the
consequence is a loss in completeness
On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote:
> Anyway, I guess we should move this discussion to some curl- or nss-related
> channel...
The question remains, if it makes sense to switch back to openssl, if the
consequence is a loss in completeness of certificate trust checking.
In my op
On Friday, April 07, 2017 18:46:33 Kai Engert wrote:
> You convinced me, that it would be good to have test cases to demonstrate
> how nss/openssl/gnutls are behaving related to the distrust rules.
>
> I setup the following page, wich provides multiple test cases, and
> intructions how to test:
>
You convinced me, that it would be good to have test cases to demonstrate how
nss/openssl/gnutls are behaving related to the distrust rules.
I setup the following page, wich provides multiple test cases, and intructions
how to test:
https://kuix.de/misc/test-distrust/
Kai
On Friday, April 07, 2017 13:45:48 Kamil Dudka wrote:
> On Friday, April 07, 2017 13:34:42 Kai Engert wrote:
> > On Fri, 2017-04-07 at 11:54 +0200, Kamil Dudka wrote:
> > > On Friday, April 07, 2017 11:01:35 Kai Engert wrote:
> > > > On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote:
> > > > > A
On Friday, April 07, 2017 13:34:42 Kai Engert wrote:
> On Fri, 2017-04-07 at 11:54 +0200, Kamil Dudka wrote:
> > On Friday, April 07, 2017 11:01:35 Kai Engert wrote:
> > > On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote:
> > > > Although we build libcurl against NSS now, it loads the same CA b
On Fri, 2017-04-07 at 11:54 +0200, Kamil Dudka wrote:
> On Friday, April 07, 2017 11:01:35 Kai Engert wrote:
> > On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote:
> > > Although we build libcurl against NSS now, it loads the same CA bundle as
> > > if we built it against OpenSSL:
> > >
> > >
On Friday, April 07, 2017 11:01:35 Kai Engert wrote:
> On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote:
> > Although we build libcurl against NSS now, it loads the same CA bundle as
> > if we built it against OpenSSL:
> >
> > /etc/pki/tls/certs/ca-bundle.crt
> >
> > So I doubt it could a
On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote:
>
> Although we build libcurl against NSS now, it loads the same CA bundle as
> if we built it against OpenSSL:
>
> /etc/pki/tls/certs/ca-bundle.crt
>
> So I doubt it could actually take advantage of those extra flags.
This file doesn't
On Thursday, April 06, 2017 18:39:26 Kai Engert wrote:
> On Thu, 2017-04-06 at 09:29 -0700, Adam Williamson wrote:
> > On Thu, 2017-04-06 at 18:22 +0200, Kai Engert wrote:
> > > I would like to make you aware that the certificate validation of
> > > openssl
> > > isn't
> > > as complete as in NSS.
On 04/06/2017 12:15 PM, Matthew Miller wrote:
> On Thu, Apr 06, 2017 at 05:50:16PM +0200, Miroslav Lichvar wrote:
>>> In order to make even smaller Fedora base images, it was proposed to switch
>>> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
>>> motivated the switch of
On Thu, 2017-04-06 at 09:29 -0700, Adam Williamson wrote:
> On Thu, 2017-04-06 at 18:22 +0200, Kai Engert wrote:
> > I would like to make you aware that the certificate validation of openssl
> > isn't
> > as complete as in NSS.
> >
> > For example, NSS is able to handle the blacklisted/distrusted
On Thu, 2017-04-06 at 18:22 +0200, Kai Engert wrote:
> I would like to make you aware that the certificate validation of openssl
> isn't
> as complete as in NSS.
>
> For example, NSS is able to handle the blacklisted/distrusted CAs, which have
> been published by Mozilla, and are being made avail
I would like to make you aware that the certificate validation of openssl isn't
as complete as in NSS.
For example, NSS is able to handle the blacklisted/distrusted CAs, which have
been published by Mozilla, and are being made available as part of the ca-
certificates package, while I believe open
On Thu, Apr 06, 2017 at 05:50:16PM +0200, Miroslav Lichvar wrote:
> > In order to make even smaller Fedora base images, it was proposed to switch
> > libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
> > motivated the switch of libcurl from OpenSSL to NSS ten years ago, is no
On Wed, Apr 05, 2017 at 03:52:22PM +0200, Kamil Dudka wrote:
> In order to make even smaller Fedora base images, it was proposed to switch
> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
> motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
> depreca
On Thursday, April 06, 2017 16:05:16 Jan Kurik wrote:
> On Thu, Apr 6, 2017 at 3:47 PM, Stephen Gallagher wrote:
> > On 04/06/2017 09:12 AM, Kamil Dudka wrote:
> >> On Thursday, April 06, 2017 15:00:31 Jan Kurik wrote:
> >>> On Thu, Apr 6, 2017 at 2:49 PM, Kamil Dudka wrote:
> On Wednesday,
On Thu, Apr 6, 2017 at 3:47 PM, Stephen Gallagher wrote:
> On 04/06/2017 09:12 AM, Kamil Dudka wrote:
>> On Thursday, April 06, 2017 15:00:31 Jan Kurik wrote:
>>> On Thu, Apr 6, 2017 at 2:49 PM, Kamil Dudka wrote:
On Wednesday, April 05, 2017 17:09:34 Jan Kurik wrote:
> Might not be dire
On 04/06/2017 09:12 AM, Kamil Dudka wrote:
> On Thursday, April 06, 2017 15:00:31 Jan Kurik wrote:
>> On Thu, Apr 6, 2017 at 2:49 PM, Kamil Dudka wrote:
>>> On Wednesday, April 05, 2017 17:09:34 Jan Kurik wrote:
Might not be directly related, but just for a reference - one of the
F26 Cha
On Thursday, April 06, 2017 15:00:31 Jan Kurik wrote:
> On Thu, Apr 6, 2017 at 2:49 PM, Kamil Dudka wrote:
> > On Wednesday, April 05, 2017 17:09:34 Jan Kurik wrote:
> >> Might not be directly related, but just for a reference - one of the
> >> F26 Changes (currently deferred to F27) is doing the
On Thu, Apr 6, 2017 at 2:49 PM, Kamil Dudka wrote:
> On Wednesday, April 05, 2017 17:09:34 Jan Kurik wrote:
>> Might not be directly related, but just for a reference - one of the
>> F26 Changes (currently deferred to F27) is doing the same for
>> OpenLDAP: https://fedoraproject.org/wiki/Changes/O
On Wednesday, April 05, 2017 18:28:53 Dusty Mabe wrote:
> On 04/05/2017 12:17 PM, Kamil Dudka wrote:
> > On Wednesday, April 05, 2017 11:38:35 Colin Walters wrote:
> >> libostree does that -
> >> https://github.com/ostreedev/ostree/blob/c937305c0e7f5609273e25753912c294
> >> b0
> >> 40a6ac/src/libos
On Wednesday, April 05, 2017 17:09:34 Jan Kurik wrote:
> Might not be directly related, but just for a reference - one of the
> F26 Changes (currently deferred to F27) is doing the same for
> OpenLDAP: https://fedoraproject.org/wiki/Changes/OpenLDAPwithOpenSSL
I have prepared a draft of the change
On 04/05/2017 12:17 PM, Kamil Dudka wrote:
> On Wednesday, April 05, 2017 11:38:35 Colin Walters wrote:
>>
>> libostree does that -
>> https://github.com/ostreedev/ostree/blob/c937305c0e7f5609273e25753912c294b0
>> 40a6ac/src/libostree/ostree-fetcher-curl.c
>>
>> In the exploded archive case, I ge
Hello, Kamil.
On Wednesday, 05 April 2017 at 15:52, Kamil Dudka wrote:
> In order to make even smaller Fedora base images, it was proposed to switch
> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
> motivated the switch of libcurl from OpenSSL to NSS ten years ago, is no
On 04/05/2017 11:42 AM, Alexander Bokovoy wrote:
> On ke, 05 huhti 2017, Kamil Dudka wrote:
>> In order to make even smaller Fedora base images, it was proposed to switch
>> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
>> motivated the switch of libcurl from OpenSSL to N
On Wednesday, April 05, 2017 11:38:35 Colin Walters wrote:
> On Wed, Apr 5, 2017, at 11:28 AM, Kamil Dudka wrote:
> > Anyway, do not overestimate the power of HTTP/2. It will not
> > transparently
> > bring you better transfers for free. You can speak HTTP/2 even while
> > using
> > the curl tool
On ke, 05 huhti 2017, Kamil Dudka wrote:
In order to make even smaller Fedora base images, it was proposed to switch
libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
deprecated and libcurl is the onl
Kamil Dudka wrote:
> In order to make even smaller Fedora base images, it was proposed to switch
> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
> motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
> deprecated and libcurl is the only package that p
On Wed, Apr 5, 2017, at 11:28 AM, Kamil Dudka wrote:
> Anyway, do not overestimate the power of HTTP/2. It will not transparently
> bring you better transfers for free. You can speak HTTP/2 even while using
> the curl tool but it is mainly useful for testing. If you want to take the
> advantage
On Wednesday, April 05, 2017 10:33:11 Stephen Gallagher wrote:
> On 04/05/2017 09:59 AM, Colin Walters wrote:
> > On Wed, Apr 5, 2017, at 09:52 AM, Kamil Dudka wrote:
> >> In order to make even smaller Fedora base images, it was proposed to
> >> switch
> >> libcurl back to OpenSSL. The Fedora Cryp
Might not be directly related, but just for a reference - one of the
F26 Changes (currently deferred to F27) is doing the same for
OpenLDAP: https://fedoraproject.org/wiki/Changes/OpenLDAPwithOpenSSL
Regards,
Jan
On Wed, Apr 5, 2017 at 4:33 PM, Stephen Gallagher wrote:
> On 04/05/2017 09:59 AM,
On 04/05/2017 09:59 AM, Colin Walters wrote:
>
>
> On Wed, Apr 5, 2017, at 09:52 AM, Kamil Dudka wrote:
>> In order to make even smaller Fedora base images, it was proposed to switch
>> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
>> motivated the switch of libcurl fro
On Wed, Apr 5, 2017, at 09:52 AM, Kamil Dudka wrote:
> In order to make even smaller Fedora base images, it was proposed to switch
> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
> motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
> deprecated an
In order to make even smaller Fedora base images, it was proposed to switch
libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
deprecated and libcurl is the only package that pulls NSS as its dependency
43 matches
Mail list logo
