Should we settle on one SSL implementation?

[Bernardo Innocenti]

I remember this topic being discussed some time ago,
but software is fluid and maybe it's time to respin
the topic.

It would seem a worthwhile goal to unify SSL/TLS
implementations like we did for spell checkers.
Or, if it turns out to be too hard, at least it would
be nice to their pki files.

We're now shipping no less than 4 different implementations
of SSL:

 - openssl (OpenBSD's implementation)
 - nss (Netscape's implementation)
 - gnutls (LGPL implementation)
 - puretls (Java implementation)

But which one should replace the others?

It is not clear to me.  Judging from dependencies, OpenSSL,
NSS and gnutls all seem equally popular in Fedora.

If we are to believe a non-independent comparison, gnutls
looks like the best choice:

  http://www.gnu.org/software/gnutls/comparison.html

I couldn't find good benchmarks around, but they would
make an important decision factor.

There are two good reasons not to choose OpenSSL: the
license is GPL incompatible and the ABI gets broken by
upstream very frequently.  Strangely enough, OpenSSL in
F8 is linked against nss instead of openssl.

Thoughts?

-- 
 \___/
 |___|   Bernardo Innocenti - http://www.codewiz.org/
  \___\  One Laptop Per Child - http://www.laptop.org/