-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/12 11:55, Fabian Knittel wrote: > Hi Alon, > > 2012/4/2 Alon Bar-Lev <alon.bar...@gmail.com>: >> I also intend to work and cleanup the whole PolarSSL/OpenSSL >> mess... >> >> Design will be to introduce crypto engine callback structure, >> registering openssl and polarssl, in a way that code is using >> the callback structure while using runtime configuration one can >> select which engine to use (if both are available). > > What would be the use-case for switching crypto libraries at > runtime? Would this be an important step towards the OpenVPN 3.0 > concept? (Otherwise this sounds like quite a bit of work and > potentially more processing overhead...)
The only advantage I see at runtime switching, is that it's easier for distributors to support both SSL/crypto library platforms. Except of that, I don't see much benefits of it. And f.ex. in the use case of OpenVPN-NL, I doubt this will be considered interesting at all, as they do static linking against the SSL/crypt libraries - to ensure that the libraries Fox-IT have reviewed and certified for governmental usage are used, and not a potentially compromised or weakened third-party library. To be very honest, I don't think it's worth the effort of adding dynamic loading of SSL/crypto libraries at run time. Having it at compile-time provides the needed flexibility. Yes, distribution can benefit from it, but is that burden so big we need to modify OpenVPN for it? Let's rather stay cool now and rather discuss and consider such a move for OpenVPN 2.4. Then we will know more what distributors thing about it. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk95emAACgkQDC186MBRfrqdJACdHeabhSc1PBWO4kgholprGneY J70An1zG5DyOXWM3nRrkLh7FI72NNua/ =SJw7 -----END PGP SIGNATURE-----