[Gluster-devel] Switching from OpenSSL to PolarSSL
John Mark Walker
jowalker at redhat.com
Tue May 27 13:47:44 UTC 2014
I think the main question regards CentOS support, with further questions about Debian/Ubuntu support.
If we have to ship PolarSSL packages with our releases to support major distros, is that too much of a burden?
-JM
----- Original Message -----
> One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I
> had decided that part of the next major update to SSL should include
> switching from OpenSSL to PolarSSL. Why? Two reasons.
>
> (1) The OpenSSL API is awful, and poorly documented to boot. We have to
> go through some rather unpleasant contortions in the socket module to
> accommodate it. AFAICT, this would be less of a problem with PolarSSL.
>
> (2) OpenSSL is less secure. Since I had this thought, I've been paying
> attention to which SSL implementations respond first to each exploit.
> For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently last,
> with GnuTLS and NSS in between. Heartbleed was an *entirely
> OpenSSL-specific* bug that never affected PolarSSL in the first place.
>
> The "BSD style" OpenSSL license has also caused some concern before.
> While those concerns have been minor, PolarSSL is straight GPLv2+ so
> even those should go away. The one negative I've found is that, while
> PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into
> RHEL (including RHEL7) yet.
>
> So, before I expend a ton of effort replacing this code, does anyone
> else think it shouldn't be done and that the enhancements should be made
> to the current OpenSSL code instead?
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at gluster.org
> http://supercolony.gluster.org/mailman/listinfo/gluster-devel
>
More information about the Gluster-devel
mailing list