libcurl + (NSS or openssl)

Dmitry Butskoy buc at odusz.so-cdu.ru
Thu Oct 9 11:45:16 UTC 2008 

Matt_Domsch at Dell.com wrote:
> First, libcurl being built against nss.  Nss does not provide some
> functions which are necessary for NTLM authentication to succeed.  This
> has defeatured the 'curl' application, rendering it useless in
> environments where users are behind an NTLM-authenticating proxy.  This
> bites me personally every day.  Yes, NTLM is based on MD4 which is
> insecure. Nevertheless, choice of corporate proxy servers is often
> beyond the reach of even the most senior Linux developers (aside from
> changing jobs...)
>
> Second, libcurl being built against nss.  OpenWSMAN has an eventing
> capability, but this uses libcurl, which in turn would use a feature of
> openssl. But as libcurl is not built against openssl, the eventing
> capability at this point must be disabled in OpenWSMAN.  This capability
> will be important to the sblim-* systems management software stack which
> implements DMTF open standards.  I need to investigate further what the
> source of the problem here is.
>
> Arguably, one should discover the missing functionalty from nss, and
> re-implement it so as to enable these functions.  However, as these
> functions do work if linked against openssl, I would prefer to see the
> expedient approach of linking libcurl against openssl again, and only
> release with it linked against nss once it is at feature parity for the
> functions used by software within Fedora.
>
> Can I ask that libcurl be rebuilt against openssl instead of nss for the
> time being?
>   

You can, but it is obvious that a backward switch is very unlikely.

Addon of some extra functionality to NSS seems questionable as well. 
Perhaps, in far future only. Unlike the OpenSSL and Gnutls, NSS seems 
more stable, more tested, more certificated -- ie. more conservative. 
Hence the support of some "corner" cases is not a primary goal.

BTW, in some areas OpenSLL looks more perspective. For example, Russia 
have chosen other way for crypto in the state life -- so called GOST 
instead of RSA. OpenSSL will start to support it since 0.9.9, plans of 
NSS is unknown... As a result, the compulsion for NSS in Fedora can make 
its usage impossible in the state organisations of some countries.

Another issue is license compatibility. Whilst OpenSSL is "widely used", 
it can be considered as a "basic system application", hence programs may 
link with it anyway (due to some exception in GPL etc...). After the 
most of things will be switched to NSS, the OpenSSl itself will become 
"an optional" instead of "system basic". The correspond exception in GPL 
will not affect anymore, and the rest of GPL applications who still will 
use OpenSSL will become illegal.


Just my thoughts...

~buc

More information about the fedora-devel-list mailing list