Re: TODO: GNU TLS

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> Actually everything about Debian (the project) is a political agenda.
> That doesn't mean that it is invalid though.

*smirk

> That being said, this topic is WAY OFF-TOPIC for the discussion. The
> discussion is:
>
> Will we accept GNU TLS.
>
> Currently there has not been one technical argument that is valid to
> have us include GNU TLS.

Well, perhaps you weren't following everything but I did try to bring up
a couple points about GNUTLS vs. OpenSSL which I'll mention again here
where more people might actually notice it, heh:

OpenSSL has more features and some niceties like the TLS_CACERTDIR
(I've asked for this in GNUTLS, actually, so it might have it soon)
They can each be faster than the other in some instances
(I'm not sure which though, I've heard of 15% differences in each
direction depending on architecture though)
GNUTLS has a nicer/better API
GNUTLS has a smaller memory footprint
OpenSSL is working to get NIST certification/approval
(it had it, but then lost it for some reason and they're working to
get that fixed)
GNUTLS has better documentation

Actually, from a comparison done for libcurl (which supports both):

GnuTLS vs OpenSSL
While these two libraries offer similar features, they are not equal. Both
libraries have features the other one lacks. libcurl does not (yet) offer a
standardized stable ABI if you decide to switch from using libcurl-openssl to
libcurl-gnutls or vice versa. The GnuTLS support is very recent in libcurl
and it has not been tested nor used very extensively, while the OpenSSL
equivalent code has been used and thus matured for more than seven (7)
years.

GnuTLS
- LGPL licensened
- supports SRP
- lacks SSLv2 support
- lacks MD2 support (used by at least some CA certs)
- lacks the crypto functions libcurl uses for NTLM

OpenSSL
- Original BSD licensened
- lacks SRP
- supports SSLv2
- older and more widely used
- provides crypto functions libcurl uses for NTLM
- libcurl can do non-blocking connects with it in 7.15.4 and later

That was from May 15, 2006:
http://curl.mirrors.cyberservers.net/legal/distro-dilemma.html

Regarding SSLv2 support, the GNUTLS page has this:

Support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols

* Since SSL 2.0 is insecure it is not supported.
* TLS 1.2 is supported in the experimental branch.

> Now is their a legal argument? Maybe, but until an *attorney* states
> that there is an issue this is all m00t.
>
> Speaking of which I am going to bounce of to SPI and see if we can get
> an actual answer to this.

That would be interesting to find out. I'm kind of suprised it wasn't
brought up before so that we could say "well, from our understanding of
what our lawyer said..." or something along those lines.

Thanks,

Stephen