On Sun, Sep 1, 2024 at 8:19 AM Moorko <m...@moorko.net> wrote: > I noticed that the OpenConnect package available in Linux distributions > like Ubuntu and Fedora is built with GnuTLS rather than OpenSSL. > Is there a specific reason for this?
Many such reasons, from my point of view… 1. Historically, OpenSSL didn't support the pre-release/non-standardized version of DTLS used by Cisco in a consistent or stable way (even though Cisco's own DTLS implementation was clearly built using a specific ancient version of OpenSSL 😵💫). OpenConnect's BDFL David Woodhouse had to cajole them into intentionally supporting it, and then to add tests for it so they'd stop breaking it over and over in new releases. 2. By contrast, GnuTLS developers have taken a personal interest in OpenConnect. In fact, the collaboration and curiosity that resulted from implementing Cisco's pre-release version of DTLS in GnuTLS largely inspired the development of ocserv 😃,. See https://nikmav.blogspot.com/2013/11/inside-ssl-vpn-protocol.html 3. The GnuTLS API is well-designed, well-documented, and has fewer archaeological layers of legacy cruft. 4. The ocserv server is built with GnuTLS, and sometimes it's helpful to share code and knowledge between the client and server components. > As far as I know, OpenSSL is more flexible I'm not sure what "flexible" means specifically. OpenSSL is a very long-running project and contains several layers of legacy APIs that sometimes interact in strange views. From my point of view as a longtime OpenConnect developer, most of the code that deals with TLS/DTLS/ESP directly is *simpler and more maintainable* in its GnuTLS versions than in its OpenSSL versions. Compare https://gitlab.com/openconnect/openconnect/-/blob/master/gnutls-dtls.c vs. https://gitlab.com/openconnect/openconnect/-/blob/master/openssl-dtls.c for instance. Having worked with OpenSSL quite a bit in other commercial and FLOSS projects, I'd say that the "flexibility" of OpenSSL is more often a liability than an asset. 🤷🏻♂️ > and offers better performance. What's the source for this "better performance" claim and how does it impact OpenConnect specifically? Daniel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
