On Sun, 11 Nov 2012 20:13:54 -0800 Daniel L. Miller articulated: > I don't know what the problem is - I just know that I've > heard from a number of developers (including the Postfix & Dovecot > developers) that they don't like OpenSSL - but while GnuTLS looks > interesting they aren't interested in working on the interface - > though they're willing to accept patches. (My full apologies right > now if Timo or Wietse are offended by my speaking out of turn). > > I'm no security > expert, but I do know that OpenSSL has had issues with version > compatiblity. I had a very troubled time during an OpenSSL/Postfix > upgrade that left me non-functional until I found the exact version > pairings required. > > The tiny bit of Googling I've done tells me GnuTLS > seems to be a more standards-compliant implementation, and MAY be > "safer" than OpenSSL. However, as OpenSSL is the de-facto standard > used by most Linux programs, acceptance of GnuTLS is quite limited. > I've been intrigued by what I've read about it, and took a quick look > at enabling support in Dovecot for GnuTLS directly - but while it > didn't seem overly heavy at first glance the fact that Timo doesn't > want to do it tells me I'm underestimating the complexity.
I have OpenSSL 1.0.1c 10 May 2012 installed on a FreeBSD machine that also runs Postfix and Dovecot. When I first updated to the new version from then 0.9x branch there were some minor problems. I believe that there was something Wietse had to do to get Postfix fully functional in the new environment, but it was done extremely quickly. The biggest problem I faced was that I discovered that I had to recompile every program on my system that depended on the new version of Openssl. Once that was done, virtually every problem I experienced disappeared. I am not aware of any developer who fears using the new version of Openssl, although apparently you do. The fact that a newer version of any software is not totally compatible with an older version is nothing new. I am amazed when they are fully compatible. Openssl is the de facto standard and I think that making a concerted effort to work with it would be a wise choice. I have also Googled and have not found any evidence that GnuTLS is more "standards compliant" nor "safer". I would be interested in those URLs. I would like to know who is making those claims and what their basis for them actually is. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________
