On 2012-11-12 20:44, Timo Sirainen wrote: > On 12.11.2012, at 6.13, Daniel L. Miller wrote: >> The tiny bit of Googling I've done tells me GnuTLS >> seems to be a more standards-compliant implementation, and MAY be >> "safer" than OpenSSL. However, as OpenSSL is the de-facto standard used >> by most Linux programs, acceptance of GnuTLS is quite limited. I've been >> intrigued by what I've read about it, and took a quick look at enabling >> support in Dovecot for GnuTLS directly - but while it didn't seem overly >> heavy at first glance the fact that Timo doesn't want to do it tells me >> I'm underestimating the complexity. > > I already once wrote GnuTLS support for Dovecot, but GnuTLS changed its APIs > since then and it was probably originally already buggy. I think the only > somewhat "special" APIs that Dovecot needs nowadays are related to reading > cert/keys from memory instead of from files. If GnuTLS can do that, I don't > think there's anything special in supporting it. Although it might be a bit > complex to make it work properly asynchronously. istream-openssl was a bit > annoying in that way (all the data read from the fd must be parsed and > decoded all the way through to the SSL istream, regardless of any max buffer > limits).
A while ago, I started working on GnuTLS support for Dovecot. While I didn't finish the implementation due to time constraints (the "abstract" API of lib-ssl-iostream is made for OpenSSL and you have to emulate some things), I think it would be possible to add GnuTLS support and with GnuTLS it would be possible to load X.509 certificates from memory. Regards, Matthias-Christian
