[Gluster-devel] Switching from OpenSSL to PolarSSL
Joe Julian
joe at julianfamily.org
Tue May 27 15:59:01 UTC 2014
The only thing that I find that may be an issue for some use cases is https://polarssl.org/kb/generic/is-polarssl-fips-certified
On May 27, 2014 6:43:54 AM PDT, Jeff Darcy <jdarcy at redhat.com> wrote:
>One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I
>had decided that part of the next major update to SSL should include
>switching from OpenSSL to PolarSSL. Why? Two reasons.
>
>(1) The OpenSSL API is awful, and poorly documented to boot. We have
>to
>go through some rather unpleasant contortions in the socket module to
>accommodate it. AFAICT, this would be less of a problem with PolarSSL.
>
>(2) OpenSSL is less secure. Since I had this thought, I've been paying
>attention to which SSL implementations respond first to each exploit.
>For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently
>last,
>with GnuTLS and NSS in between. Heartbleed was an *entirely
>OpenSSL-specific* bug that never affected PolarSSL in the first place.
>
>The "BSD style" OpenSSL license has also caused some concern before.
>While those concerns have been minor, PolarSSL is straight GPLv2+ so
>even those should go away. The one negative I've found is that, while
>PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into
>RHEL (including RHEL7) yet.
>
>So, before I expend a ton of effort replacing this code, does anyone
>else think it shouldn't be done and that the enhancements should be
>made
>to the current OpenSSL code instead?
>_______________________________________________
>Gluster-devel mailing list
>Gluster-devel at gluster.org
>http://supercolony.gluster.org/mailman/listinfo/gluster-devel
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://supercolony.gluster.org/pipermail/gluster-devel/attachments/20140527/a3c0dbd5/attachment.html>
More information about the Gluster-devel
mailing list