Re: TODO: GNU TLS - Mailing list pgsql-hackers
From | Stephen Frost |
---|---|
Subject | Re: TODO: GNU TLS |
Date | |
Msg-id | 20061229183919.GF24675@kenobi.snowman.net Whole thread Raw |
In response to | Re: TODO: GNU TLS ("Joshua D. Drake" <jd@commandprompt.com>) |
List | pgsql-hackers |
* Joshua D. Drake (jd@commandprompt.com) wrote: > Actually everything about Debian (the project) is a political agenda. > That doesn't mean that it is invalid though. *smirk > That being said, this topic is WAY OFF-TOPIC for the discussion. The > discussion is: > > Will we accept GNU TLS. > > Currently there has not been one technical argument that is valid to > have us include GNU TLS. Well, perhaps you weren't following everything but I did try to bring up a couple points about GNUTLS vs. OpenSSL which I'll mention again here where more people might actually notice it, heh: OpenSSL has more features and some niceties like the TLS_CACERTDIR (I've asked for this in GNUTLS, actually, so it mighthave it soon) They can each be faster than the other in some instances (I'm not sure which though, I've heard of 15% differences in eachdirection depending on architecture though) GNUTLS has a nicer/better API GNUTLS has a smaller memory footprint OpenSSL is working to get NIST certification/approval (it had it, but then lost it for some reason and they're working toget that fixed) GNUTLS has better documentation Actually, from a comparison done for libcurl (which supports both): GnuTLS vs OpenSSLWhile these two libraries offer similar features, they are not equal. Bothlibraries have features the otherone lacks. libcurl does not (yet) offer astandardized stable ABI if you decide to switch from using libcurl-openssltolibcurl-gnutls or vice versa. The GnuTLS support is very recent in libcurland it has not been tested norused very extensively, while the OpenSSLequivalent code has been used and thus matured for more than seven (7)years. GnuTLS - LGPL licensened - supports SRP - lacks SSLv2 support - lacks MD2 support (used by at least some CA certs) -lacks the crypto functions libcurl uses for NTLM OpenSSL - Original BSD licensened - lacks SRP - supports SSLv2 - older and more widely used - provides crypto functionslibcurl uses for NTLM - libcurl can do non-blocking connects with it in 7.15.4 and later That was from May 15, 2006: http://curl.mirrors.cyberservers.net/legal/distro-dilemma.html Regarding SSLv2 support, the GNUTLS page has this: Support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols * Since SSL 2.0 is insecure it is not supported. * TLS 1.2 is supported in the experimental branch. > Now is their a legal argument? Maybe, but until an *attorney* states > that there is an issue this is all m00t. > > Speaking of which I am going to bounce of to SPI and see if we can get > an actual answer to this. That would be interesting to find out. I'm kind of suprised it wasn't brought up before so that we could say "well, from our understanding of what our lawyer said..." or something along those lines. Thanks, Stephen
pgsql-hackers by date: