[jira] Commented: (THRIFT-106) TSSLServerSocket

Mon, 29 Sep 2008 17:03:07 -0700 

    [ 
https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635612#action_12635612
 ] 

Ian Pye commented on THRIFT-106:
--------------------------------

1) I switched to working with openssl because I was having a hard time getting 
the memory allocation working 100% reliably with gnutls and eventually got fed 
up with having hard to track down warnings about double free()s and such coming 
up all the time. I find openssl's BIO abstraction much easier to work with 
(This may say more about me than about openssl though). Also, just on the basis 
of my very ad-hoc tests, openssl seems to be faster at setting up a secure 
connection than gnutls. Other reasons I switched include the popularity of 
openssl, and the fact this openssl's license is a bit more lax, just requiring 
citing the use of openssl in the linking source code (I believe). 

So, I don't know where you are at with the gnutls implementation and how stable 
it is, but my general opinion is that openssl is a more mature project which is 
a lot more fun to code against. 

2) My understanding is that gnutls can emulate openssl, but not vice versa. 
With this emulation going, the two libraries are wire-compatible. One 
limitation of openssl is that it doesn't support OpenPGP authentication.

3) stunnel compiles against both SSLeay and OpenSSL. So a openssl enable thrift 
client could talk with a stunnel'd thrift server, and vice versa. But since 
gnutls can emulate openssl, it should also be able to interoperate with stunnel.


 

> TSSLServerSocket
> ----------------
>
>                 Key: THRIFT-106
>                 URL: https://issues.apache.org/jira/browse/THRIFT-106
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Library (Java)
>         Environment: n/a
>            Reporter: rico sec
>         Attachments: ssl.patch
>
>   Original Estimate: 6h
>  Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state 
> of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a 
> simple key mgmt utility.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to