Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
I think the main question regards CentOS support, with further questions about Debian/Ubuntu support. If we have to ship PolarSSL packages with our releases to support major distros, is that too much of a burden? -JM - Original Message - One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I had decided that part of the next major update to SSL should include switching from OpenSSL to PolarSSL. Why? Two reasons. (1) The OpenSSL API is awful, and poorly documented to boot. We have to go through some rather unpleasant contortions in the socket module to accommodate it. AFAICT, this would be less of a problem with PolarSSL. (2) OpenSSL is less secure. Since I had this thought, I've been paying attention to which SSL implementations respond first to each exploit. For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently last, with GnuTLS and NSS in between. Heartbleed was an *entirely OpenSSL-specific* bug that never affected PolarSSL in the first place. The BSD style OpenSSL license has also caused some concern before. While those concerns have been minor, PolarSSL is straight GPLv2+ so even those should go away. The one negative I've found is that, while PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into RHEL (including RHEL7) yet. So, before I expend a ton of effort replacing this code, does anyone else think it shouldn't be done and that the enhancements should be made to the current OpenSSL code instead? ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
I think the main question regards CentOS support, with further questions about Debian/Ubuntu support. I believe CentOS would leverage the EPEL support. PolarSSL is already packaged for Debian (Wheezy) and Ubuntu (Trusty) so we should be set. If we have to ship PolarSSL packages with our releases to support major distros, is that too much of a burden? Nothing we haven't had to deal with before, but so far I think RHEL (without EPEL) is the only distro that even has a problem. This being an upstream mailing list, I think I can safely say that one downstream's problems don't change what's best for the project as a whole. ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
On 05/27/2014 09:43 AM, Jeff Darcy wrote: So, before I expend a ton of effort replacing this code, does anyone else think it shouldn't be done and that the enhancements should be made to the current OpenSSL code instead? The most compelling arguments — to me — are the speed with which things are fixed and the lack of Heartbleed vuln. PolarSSL appears to be the clear winner on both counts. My only concern is its 'pure' GPLv2+ license — is that compatible with with our 'GPLv2 or LGPLv3+' license. I'm not sure why the BSD-style OpenSSL license was an issue; perhaps just the GPL compatibility due to what looks like a weak advertising clause. In any event, it's license didn't pollute our code. Do we need to have our attorney bless the change. -- Kaleb ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
On 05/27/2014 11:00 AM, Kaleb KEITHLEY wrote: In any event, it's license didn't pollute our code. Do we need to have our attorney bless the change. _its_ license didn't pollute our code. -- Kaleb ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
My only concern is its 'pure' GPLv2+ license — is that compatible with with our 'GPLv2 or LGPLv3+' license. The answer that matters, as always, is that only a real lawyer can say. My own uninformed guess is that we would be considered a derivative of them (instead of vice versa) and thus we'd be OK as long as we had GPLv2 as a (not necessarily only) option. The thornier question is what would happen for a piece of code that was derivative of both. In that case it might need to be GPLv2 exactly to be redistributable with both, but - again - that's for the lawyers to say. I'm not sure why the BSD-style OpenSSL license was an issue; perhaps just the GPL compatibility due to what looks like a weak advertising clause. In any event, it's license didn't pollute our code. Do we need to have our attorney bless the change. We'd need to do that anyway, as we should with every incorporation of new code under new licenses. On the other hand, I'd be amazed if PolarSSL's license from the same family as ours was more problematic than OpenSSL's unique one. ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
It has a specific exclusion for GPL 3.0. https://polarssl.org/foss-license-exception On May 27, 2014 8:01:51 AM PDT, Kaleb KEITHLEY kkeit...@redhat.com wrote: On 05/27/2014 11:00 AM, Kaleb KEITHLEY wrote: In any event, it's license didn't pollute our code. Do we need to have our attorney bless the change. _its_ license didn't pollute our code. -- Kaleb ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
Also, IANAL, but their code is GPL compatible, even if they are being dicks and requiring copyright assignment for their proprietary dual licensing. But at least their code is GPL compatible, which OpenSSL's is not. So I say +1, use this. On Tue, May 27, 2014 at 11:44 AM, Joe Julian j...@julianfamily.org wrote: It has a specific exclusion for GPL 3.0. https://polarssl.org/foss-license-exception On May 27, 2014 8:01:51 AM PDT, Kaleb KEITHLEY kkeit...@redhat.com wrote: On 05/27/2014 11:00 AM, Kaleb KEITHLEY wrote: In any event, it's license didn't pollute our code. Do we need to have our attorney bless the change. _its_ license didn't pollute our code. -- Kaleb Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
The only thing that I find that may be an issue for some use cases is https://polarssl.org/kb/generic/is-polarssl-fips-certified On May 27, 2014 6:43:54 AM PDT, Jeff Darcy jda...@redhat.com wrote: One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I had decided that part of the next major update to SSL should include switching from OpenSSL to PolarSSL. Why? Two reasons. (1) The OpenSSL API is awful, and poorly documented to boot. We have to go through some rather unpleasant contortions in the socket module to accommodate it. AFAICT, this would be less of a problem with PolarSSL. (2) OpenSSL is less secure. Since I had this thought, I've been paying attention to which SSL implementations respond first to each exploit. For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently last, with GnuTLS and NSS in between. Heartbleed was an *entirely OpenSSL-specific* bug that never affected PolarSSL in the first place. The BSD style OpenSSL license has also caused some concern before. While those concerns have been minor, PolarSSL is straight GPLv2+ so even those should go away. The one negative I've found is that, while PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into RHEL (including RHEL7) yet. So, before I expend a ton of effort replacing this code, does anyone else think it shouldn't be done and that the enhancements should be made to the current OpenSSL code instead? ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel
Re: [Gluster-devel] Switching from OpenSSL to PolarSSL
The only thing that I find that may be an issue for some use cases is https://polarssl.org/kb/generic/is-polarssl-fips-certified Not meaning to sound flippant, but if we ever did seek FIPS certification I suspect that our choice of SSL library would be the least of our worries. ___ Gluster-devel mailing list Gluster-devel@gluster.org http://supercolony.gluster.org/mailman/listinfo/gluster-devel