> Are you sure about this? TLS has a wide variety of protocol options and the > supported vs. > "available" cryptosystem matrix is complex. Won't these all change if the > underlying > implementation changes?
Well, I focused mostly in the PKCS#11 changes, but for all its internal crypto operations SSSD had for some long time now [1] started supporting OpenSSL, replaced as default [2] and finally dropped [3] NSS at all and the two crypto backends have been used as feature-parity alternatives. Probably not enough to compare, but from what I see in these matrices [4], there's basically nothing that NSS supports and OpenSSL doesn't (while it's true the other way around). Not to mention that we already switched to an OpenSSL-based version of SSSD in 21.10, and even if its user base can't be compared to 20.04, so far I didn't read about related issues [5]. That said, if the SRU team would feel more confident in only having the p11_child to be built with OpenSSL, it should be technically possible, of course not as easy (and probably safer and more future-proof) as switching completely. [1] https://github.com/SSSD/sssd/issues/4521 [2] https://github.com/SSSD/sssd/pull/1042 [3] https://github.com/SSSD/sssd/issues/1041 [4] https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations [5] https://github.com/SSSD/sssd/issues?q=is%3Aissue+openssl+ ** Bug watch added: github.com/SSSD/sssd/issues #4521 https://github.com/SSSD/sssd/issues/4521 ** Bug watch added: github.com/SSSD/sssd/issues #1041 https://github.com/SSSD/sssd/issues/1041 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Recompile SSSD in 20.04 using OpenSSL (instead of NSS) support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
