[Gluster-devel] Switching from OpenSSL to PolarSSL

Jeff Darcy jdarcy at redhat.com
Tue May 27 13:43:54 UTC 2014


One of my tasks for 3.6 is to update/improve the SSL code.  Long ago, I
had decided that part of the next major update to SSL should include
switching from OpenSSL to PolarSSL.  Why?  Two reasons.

(1) The OpenSSL API is awful, and poorly documented to boot.  We have to
go through some rather unpleasant contortions in the socket module to
accommodate it.  AFAICT, this would be less of a problem with PolarSSL.

(2) OpenSSL is less secure.  Since I had this thought, I've been paying
attention to which SSL implementations respond first to each exploit.
For BEAST and CRIME, PolarSSL was first.  OpenSSL was consistently last,
with GnuTLS and NSS in between.  Heartbleed was an *entirely
OpenSSL-specific* bug that never affected PolarSSL in the first place.

The "BSD style" OpenSSL license has also caused some concern before.
While those concerns have been minor, PolarSSL is straight GPLv2+ so
even those should go away.  The one negative I've found is that, while
PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into
RHEL (including RHEL7) yet.

So, before I expend a ton of effort replacing this code, does anyone
else think it shouldn't be done and that the enhancements should be made
to the current OpenSSL code instead?


More information about the Gluster-devel mailing list