Hey,

thanks for taking your time to answer.

I want to give you an honest opionion of mine to merging WolfSSL in
OpenVPN. Please note, that this is my personal opinion and not to be
confused to be an official OpenVPN community project or OpenVPN Inc
position.

For every patch we have to decide if it worth accepting it and if the
maintainance of the code is worthless and if the code itself is
acceptable. Adding a third crypto library duplicates an already existing
feature. So there needs to a very compelling reason for us to add this
large feature.

We have not seen any involvement from your companay in the OpenVPN
project so far. So accepting this patch and then later finding out that
we have high maintainance cost for it, is something I really would like
to avoid.

OpenVPN runs on small deployment but nothing that is really embedded.
And almost all these already have mbed TLS or OpenSSL in place. In the
main system that OpenVPN targets which are typical Unix systems or
Windows, I have not really seen much use of WolfSSL either or seen a
single email/issue/ticket requesting support for it, so from my personal
impression there seem to be not much need for WolfSSL.

In summary, I personally cannot really find a good reason to incoperate
WolfSSL currently into OpenVPN.

For the future of the patch. I would recommend that you keep maintaining
that patch out of tree. We incorporate the fixes changes in the rest of
OpenVPN to make this a more viable option. If your involvement in
OpenVPN is high enough that I and others do feel that accepting the
patch is a burden anymore, it can be merged in the future.


> thank you for the feedback. To answer your questions:
> 
> 
> - Why WolfSSL in OpenVPN instead of mbed or OpenSSL
> wolfSSL can be compiled to use very few resources in a wide array of
> embedded environments.

That seem to be also the stated goal for mbed TLS.

> wolfSSL is FIPS ready - that is it has all the code available to be FIPS
> 140 validated on a platform.
> - What features does WolfSSL offer in OpenVPN that mbed/OpenSSL don't have
> wolfSSL has a large customer base and some of them would like to use
> OpenVPN with wolfSSL.

I personally do not care for FIPS. Also that feel more like marketing
for WolfSSL rather to what actually is an improvement to OepnVPN.


> - What is missing with WolfSSL?
> wolfSSL doesn’t support some older, weaker algorithms like Blowfish.
> wolfSSL also lacks support for CryptoAPI and exporting of keying material.

Otherwise it is a complete drop in replacement for OpenSSL?

> - What are your future plans in terms of involvement in OpenVPN
> development and maintaince?
> Our plans are to help support and maintain the wolfSSL component of any
> project, including OpenVPN, that decides to incorporate our technology.

When I asked here I meant more involvement in the OpenVPN project. I.e.
helping reviewing patches that are cyrpto related. Looking into bug
fixing etc. Fox It that did the mbed TLS port of OpenVPN did and is
still involved in these kind of things.

Furthermore the commitment here is bit too vague for me even for the
maintaince of the WolfSSL support. It sounds like a PR phrase. "WolfSSL
component" for all that I know could just mean WolfSSL itself.

> Regarding our OpenSSL compatibility layer: we do have a compatibility
> layer for OpenSSL but it still lacks many features. In addition, using
> wolfSSL directly without an additional layer allows for better
> efficiency and performance.

This very vague.

Arne


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to