Should we settle on one SSL implementation?
Robert Relyea
rrelyea at redhat.com
Tue Oct 23 17:32:27 UTC 2007
Daniel P. Berrange wrote:
> On Tue, Oct 23, 2007 at 10:22:06AM -0700, Robert Relyea wrote:
>
>> Another area that's a real problem is certificate validation. gnutls
>> itself doe not do certificate validation (that's left to other
>> packages), openssl provided helper functions and pushes everything else
>> on the client. That means support for Crl's, OCSP, and PKIX would need
>> to be added to each an every application. With NSS, there is a single
>> call to validate certificates, and support for OCSP and CRL's come
>> automatically. Most of the conversions have simplified cert processing
>> in the NSS side.
>>
>
> That's rather misleading. I've implemented SSL support in 3 apps using GNU
> TLS and all of them had certificate validation done using the GNU TLS APIs,
> including support for CRLs. Maybe NSS has more 'convenience' APIs for doing
> cert validation in fewer API calls, but to claim GNU TLS doesn't do any
> validation is just FUD.
>
My understanding was there was another package for certificate and der
processing. If gnu tls uses single api (or a small set of API's) for
certificate processing, then it will make the conversion tools for gnu
tls much easier.
In general gnu tls does have better api separate than openssl. The issue
gnu tls applications would have is if the call into libgcrypt directly.
bob
> Dan
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3420 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20071023/80e4de9f/attachment.bin>
More information about the fedora-devel-list
mailing list