[Libvir] Re: Should we settle on one SSL implementation?

Andrew Bartlett abartlet at samba.org
Tue Oct 23 01:02:18 UTC 2007

On Mon, 2007-10-22 at 14:47 +0100, Richard W.M. Jones wrote:
> Bernardo Innocenti wrote:
> > I remember this topic being discussed some time ago,
> > but software is fluid and maybe it's time to respin
> > the topic.
> > 
> > It would seem a worthwhile goal to unify SSL/TLS
> > implementations like we did for spell checkers.
> > Or, if it turns out to be too hard, at least it would
> > be nice to their pki files.
> I've asked whether we have a standard layout for /etc/pki before, but no 
> one seems to know.
> > We're now shipping no less than 4 different implementations
> > of SSL:
> > 
> > - openssl (OpenBSD's implementation)
> > - nss (Netscape's implementation)
> > - gnutls (LGPL implementation)
> > - puretls (Java implementation)
> Make that at least five - ocaml-ocamlnet has a pure-OCaml SSL impl.  I'm 
> sure Perl & Python probably have their own too.
> > But which one should replace the others?
> When we implemented encryption in libvirt, we chose gnutls because it 
> has excellent examples which allow you to actually write code to use it 
> in a short period of time.  The others have (or we perceived them to 
> have) hideous, confusing or undocumented APIs.

While I'm currently grumpy at gnutls (on debian actually, which is
running 2.0), I do agree it's API and read/write callbacks make
integrating into an existing event system very nice.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20071023/189f6aa4/attachment-0001.sig>

More information about the libvir-list mailing list