On 2016-12-19 15:07, John Dennis wrote: > I'm not a big fan of NSS, it has it's issues. As the author of the > Python binding I'm quite aware of all the nasty behaviors NSS has and > needs to be worked around. I wouldn't be sad to see it go but OpenSSL > has it's own issues too. If you remove NSS you're also removing the > option to support smart cards, HSM's etc. Perhaps before removing > functionality it would be good to assess what the requirements are.
When Standa started to work on the PR, I raised similar concerns regarding the feature set of OpenSSL. I asked him to write a design spec to address some of the concerns. HSM and smart card authentication are of no concern. Standa's PR replaces FreeIPA's internal HTTS connection with a OpenSSL based implementation. It's used to communicate from an IPA client to an IPA server or from an IPA server to Dogtag. We don't support client cert auth for client to server. Smart card authentication is performed based on pkinit and Kerberos. Currently just IPA server to Dogtag uses client cert authentication. That part will be replaced with GSSAPI eventually. I'm more concerned that we loose the ability to check revocation state of certificates. Python's ssl module has no support for OCSP. OpenSSL's and Python's CRL capabilities are sub-par compared to NSS. The ssl module can load CRLs but it has no means to retrieve or update a CRL from a remote server. For Fedora 26 we will have to deal with similar concerns for libldap. Fedora has switched from NSS to OpenSSL as TLS backend. Christian
Description: OpenPGP digital signature