Robert Relyea wrote: > Nelson B Bolyard wrote: >> Joe Orton wrote, On 2008-07-28 16:09: >>> On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote: >>>> Daniel Stenberg wrote, On 2008-07-26 13:45: >>>>> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that >>>>> GnuTLS has flaws in its API but NSS most certainly also has flaws as well >>>>> _and_ notable missing features that GnuTLS offers. >>>>> >>>> Daniel, please tell us what features are missing that you would actually >>>> use >>>> if they were present! >>>> >>> My basic questions about NSS usage relative to GnuTLS/OpenSSL are here: >>> https://bugzilla.redhat.com/show_bug.cgi?id=347691 >>> >> NSS is not going to stop using PKCS#11 modules as its sole means of access >> to stored keys and certs. That just won't happen. Kiss all that FIPS 140 >> validation goodbye if that happens. >> >> Someone could write a PKCS#11 module that uses PEM files as its storage. >> It wouldn't be FIPS validated, at least not initially. But Please feel >> free. :)
In that case, there's even less motivation to adopt NSS, since OpenSSL is moving ahead with validation and all the over-a-decade's worth of apps written for OpenSSL can benefit from that immediately, without any additional development effort. > Actually someone did:)... we're working on fixing the bugs and getting > it into NSS. I now have someone working to finish this up... > > https://bugzilla.mozilla.org/show_bug.cgi?id=402712 That looks promising... > (an early version is available in Fedora as part of the nss_compat_ossl > library). Following on from the discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=292127 today I took a look at what would be involved in adding NSS support to OpenLDAP. Aside from the lack of hassle-free PEM support (which it appears may not be a problem for much longer) the other obvious source of pain is the lack of an intuitive API for selecting cipher suites. The notion of NSS_SetDomesticPolicy / NSS_SetExportPolicy / NSS_SetFrancePolicy is quaint at best. It's a relic of a closed-source legacy that makes no sense in FOSS that can be freely used anywhere in the world. While there appears to be a function for enumerating the available cipher suites and their names, it would also be convenient to have a function that returns the cipher number for a given name, to make it easier to work with settings read from a configuration file. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
