Fedora Crypto Consolidation Project
Rob Crittenden
rcritten at redhat.com
Thu Aug 23 12:52:16 UTC 2007
Joe Orton wrote:
> On Wed, Aug 22, 2007 at 05:51:20PM -0700, Robert Relyea wrote:
>> Steve Grubb wrote:
>>> I wanted to announce a new Fedora Project that will span several distro
>>> releases and outline the reasons why we are starting this project. I
>>> believe this issue affects the whole Open Source Community. But don't
>>> think anyone has explained all the issues.
>>> We're looking for people interested in enabling NSS in their packages and
>>> feeding the changes upstream.
>>>
>> A list of packages that need to be looked at can now be found at:
>> https://fedoraproject.org/wiki/CryptoConsolidationScorecard
>
> Switching OpenLDAP to use NSS may be painful because of the exposure of
> the SSL_CTX * in the API via LDAP_OPT_X_TLS_CTX, though I don't know how
> widely that is used. Would it be less painful to switch from OpenLDAP
> to the Mozilla LDAP toolkit (now part of the FDS?) at the same time?
>
> I'm not sure what part mod_nss plays in this plan - it is not a
> substitute for mod_ssl. Doing this properly means porting mod_ssl
> upstream to use NSS and supporting existing configurations on that
> platform, as we've discussed off-line before. (same thing applies to
> subversion with neon)
>
I'm not sure what you mean by mod_nss not being a substitute for
mod_ssl. It is a derivation of it and there are few differences. It is
fairly straightforward to convert a mod_ssl configuration to mod_nss.
What may be better in the long-run, and I'm not sure if this is what you
are suggesting, would be to completely rewrite mod_ssl and abstract out
the SSL calls completely (ala libcurl). Then any SSL provider (GNUtls,
OpenSSL, NSS, etc) could write a backend for it. This would be quite a
large job though. And there would likely still be
implementation-specific options (such as verifydepth).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20070823/c2cf1a66/attachment-0002.bin
More information about the devel
mailing list