Re: TODO: GNU TLS

* David Boreham (david_list(at)boreham(dot)org) wrote:
> Fascinating thread for the holidays. I found it interesting that nobody
> has mentioned
> NSS (former Netscape SSL library). It has its own bag of problems of
> course, but
> for me is potentially more attractive than GNU TLS. e.g. it has FIPS-140
> certification
> and is actively under development by a software company with significant
> resources.
> It's also very widely deployed. I'm not saying that OpenSSL is bad (it'd
> probably be my
> first choice), just that there is another option besides GNU TLS.

Not sure what license that's under, but I don't know of any particular
reason it wouldn't be an option other than the work for GNUTLS has
already been done.

> BTW, if I may throw more gas on the licence debate flames -- the
> OpenLDAP client library
> depends on OpenSSL, and almost everything depends on OpenLDAP (e.g. PAM,
> SASL,
> any LDAP-enabled app). In 2003 Steven Frost submitted patches to the OL
> code to
> add GNU TLS support, but as far as I can tell that code is still not in
> the current OpenLDAP
> tree. Perhaps Steven could tell us what happened to that effort.

OpenLDAP upstream didn't want to accept the patch since it was written
by someone other than the person submitting it (Steve Langasek was the
original author). So Debian applied the patch locally and then it got
out of sync with OpenLDAP over time so now there's an effort underway to
port it to the current OpenLDAP branch (aiui anyway). I forget who's
leading that effort (it's not Steve) but I'm pretty sure the goal is to
have GNUTLS support in the next major version. While there were a few
issues initially with GNUTLS in the OpenLDAP library in Debian it didn't
take long for them to be sorted out and it's been what the OpenLDAP
libraries under Debian have been using for quite some time now...

Thanks,

Stephen