On Tue, Dec 01, 2020 at 03:33:45AM -0000, Marco Trevisan (Treviño) wrote: > Probably not enough to compare, but from what I see in these matrices > [4], there's basically nothing that NSS supports and OpenSSL doesn't > (while it's true the other way around).
OK, but what about build configuration and default enabled cryptosuites and suchlike? For example we've "locked down" OpenSSL's default configuration to no longer support some older cryptosuites. Will swapping NSS for OpenSSL cause user configurations to narrow the set of cryptosuites that are enabled? What if, for example, someone has an LDAP server that only supports older TLS, and switching to OpenSSL causes their sssd LDAP TLS client to require newer TLS because of our stronger defaults? What I describe would result in a regression for that user until they reconfigure things. Is this a realistic possibility? > Not to mention that we already switched to an OpenSSL-based version of > SSSD in 21.10, and even if its user base can't be compared to 20.04, so > far I didn't read about related issues [5]. I think you're thinking of functional regressions here (ie. introducing actual bugs), whereas I'm more bothered about regressing edge case user configurations (eg. introducing a change that requires users to change their local configurations to avoid a behavioural regression). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Recompile SSSD in 20.04 using OpenSSL (instead of NSS) support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs