>Idly, http://www.libressl.org/ is one alternative, aiming to improve the code >quality amongst other things. It includes a new libtls "designed to >make it easier to write foolproof applications" as well as "libssl: a >TLS library, backwards-compatible with OpenSSL".
Well, I can tell you that's how _I_ want to spend my free time: porting our code to OTHER TLS IMPLEMENTATIONS! :-) In seriousness ... this is a tough one. I have zero love for the OpenSSL API (I wish someone would sit down and write how they expect memory management to work), but as far as I can tell it is by far the most popular TLS implementation out there; you're guaranteed to find either it shipped with the operating system or an available package of it. In terms of "mindshare", my extremely unscientific survey suggests that the second most popular TLS implementation is GnuTLS. I had not heard of LibreSSL ... I mean, if people want to use it using the the backwards-compatible OpenSSL interface, that seems pretty straightforward. Our use of the OpenSSL API is actually pretty small, and is now concentrated in one file; porting to a new TLS implementation should be pretty easy. If someone wants to do it, more power to them! As for BoringSSL ... well, they say this: Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability. I mean, I understand why it exists; it's designed for binary package distrbution. But I don't think it would be useful for us; it would have all of the disadvantages of OpenSSL, but none of the advantages. --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
