Orphaning 'nss_compat_ossl'
Florian Weimer
fweimer at redhat.com
Mon May 4 09:55:36 UTC 2015
On 04/30/2015 06:27 PM, Ken Dreyer wrote:
> A day or two ago Ceph upstream was just discussing using this library
> to support for HTTPS support in its embedded Civetweb server.
> nss-compat-ossl is not in Debian/Ubuntu, but we could try to make that
> happen... this announcement catches me by surprise. Is this library
> essentially dead upstream? Were there issues getting other projects to
> use it?
There are significant technical problems with this library. Translation
of error return codes from called functions is incomplete. It is
impossible to implement host name verification. On top of that, you get
all the NSS problems: The public NSS API makes supporting STARTTLS
rather difficult. NSS has even more global state than OpenSSL, and as a
result is quite problematic as an internal dependency.
Please do not use nss_compat_ossl. Seriously.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list