[Libvir] Re: Should we settle on one SSL implementation?

Richard W.M. Jones rjones at redhat.com
Mon Oct 22 13:47:12 UTC 2007

Bernardo Innocenti wrote:
> I remember this topic being discussed some time ago,
> but software is fluid and maybe it's time to respin
> the topic.
> It would seem a worthwhile goal to unify SSL/TLS
> implementations like we did for spell checkers.
> Or, if it turns out to be too hard, at least it would
> be nice to their pki files.

I've asked whether we have a standard layout for /etc/pki before, but no 
one seems to know.

> We're now shipping no less than 4 different implementations
> of SSL:
> - openssl (OpenBSD's implementation)
> - nss (Netscape's implementation)
> - gnutls (LGPL implementation)
> - puretls (Java implementation)

Make that at least five - ocaml-ocamlnet has a pure-OCaml SSL impl.  I'm 
sure Perl & Python probably have their own too.

> But which one should replace the others?

When we implemented encryption in libvirt, we chose gnutls because it 
has excellent examples which allow you to actually write code to use it 
in a short period of time.  The others have (or we perceived them to 
have) hideous, confusing or undocumented APIs.

For a short while I documented the certificate management code in terms 
of the OpenSSL command line tools.  But after I found out about 
'certtool' (part of GnuTLS), I was able to rewrite that documentation 
and make it considerably simpler[1].  'certtool' is a lot more sane than 
the OpenSSL stuff.

Nevertheless, I don't think you're going to get rid of the competing SSL 
libraries.  Rewriting code to use a different API is a lot of make-work 
that no one wants to do, and doesn't contribute much benefit to anyone.


[1] http://libvirt.org/remote.html#Remote_certificates

Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.  Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20071022/16f55bb0/attachment-0001.bin>

More information about the libvir-list mailing list