On Fri, 12 Nov 2021 at 12:03:53 +0000, Stephan Verbücheln wrote: > My impression is that web based projects lean towards OpenSSL, while > for example the whole GTK/Gnome desktop stack is using GnuTLS (with > nettle/hogweed). So you will not get rid of either crypto stack.
I believe the reason why GNOME-adjacent projects generally prefer GnuTLS is that GNOME's conventional license is LGPL (or sometimes GPL), resulting in licensing conflicts between the (L)GPL's copyleft and the OpenSSL 1.x license's advertising clause. For permissively-licensed (non-copyleft) projects, OpenSSL's licensing is less of a barrier, and a lot of web projects are permissively-licensed, so it's unsurprising if they lean towards OpenSSL. In principle, GTK applications that require TLS should all or nearly all be using the TLS abstractions available in GLib since around 2011 (such as GTlsConnection), which get their implementation from plugins rather than directly from GLib, so that distributions that feel strongly about this sort of thing can use their preferred implementation without having to patch GLib. The usual TLS plugins for GLib come from GNOME's glib-networking, which has both GnuTLS and OpenSSL backends (although I believe the OpenSSL backend is still considered experimental, and we don't compile it in Debian). Third-party plugins are also possible, but I don't think we have any in Debian. In practice, I'm sure some GNOME and GNOME-adjacent applications use GnuTLS, OpenSSL and/or NSS directly, either because they need finer control over TLS behaviour or because they are older than 2011 and never got converted to use GLib's TLS abstractions. > An then there is NSS by Mozilla, and there is also libgcrypt, which is > the basis of GnuPG. To my knowledge, it does not even share core > routines with GnuTLS. My understanding is that libgcrypt is a low-level crypto library comparable to nettle/hogweed and OpenSSL's libcrypto, whereas GnuTLS is a higher-level TLS library comparable to OpenSSL's libssl. GnuTLS 2.x used libgcrypt, which it shared with GnuPG. GnuTLS 3.x uses nettle/hogweed instead. smcv