Should we settle on one SSL implementation?
Daniel P. Berrange
berrange at redhat.com
Tue Oct 23 17:25:02 UTC 2007
On Tue, Oct 23, 2007 at 10:22:06AM -0700, Robert Relyea wrote:
> Another area that's a real problem is certificate validation. gnutls
> itself doe not do certificate validation (that's left to other
> packages), openssl provided helper functions and pushes everything else
> on the client. That means support for Crl's, OCSP, and PKIX would need
> to be added to each an every application. With NSS, there is a single
> call to validate certificates, and support for OCSP and CRL's come
> automatically. Most of the conversions have simplified cert processing
> in the NSS side.
That's rather misleading. I've implemented SSL support in 3 apps using GNU
TLS and all of them had certificate validation done using the GNU TLS APIs,
including support for CRLs. Maybe NSS has more 'convenience' APIs for doing
cert validation in fewer API calls, but to claim GNU TLS doesn't do any
validation is just FUD.
Dan
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the fedora-devel-list
mailing list