Hi Justin, On Thu, 25 Feb 2016 17:30:13 +0000 Justin Clift <jus...@postgresql.org> wrote:
> Out of curiosity, why the move towards OpenSSL? :) > > Only asking because many OSS projects are moving *away* from it, due > to OpenSSL's repeated (severe) vulnerabilities and known-lousy code > base. > > Gluster was thinking about shifting away from OpenSSL a while back too, > and > alternatives such as PolarSSL, LibreSSL (etc) were raised in discussion. > > PowerDNS was an example I pointed out of PolarSSL usage, so it's not > empty > curiosity. :) So first off, we don't use the TLS stacks from any of the crypto libraries, just the hash and cryptographic primitives to sign for DNSSEC, so we're most likely hardly affected by OpenSSL TLS issues. The main reason we switched to OpenSSL is that in our testing, we noticed that signature generation was an order of magnitude faster with OpenSSL compared to mbedTLS and Crypto++ due to the ASM optimizations of OpenSSL. I tested builing against LibreSSL 2.3, which works :), so you can always do that. Best regards, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-dev
