Hi Robert, On 27/06/16 18:12, Robert Edmonds via Unbound-users wrote: > W.C.A. Wijngaards via Unbound-users wrote: >> - Fix #594. libunbound: optionally use libnettle for crypto. >> Contributed by Luca Bruno. Added --with-nettle for use with >> --with-libunbound-only. > > Hi, > > I've received a request to enable this by default in the Debian package > of libunbound: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828699 > > Currently, GnuTLS cannot be compiled with DANE support as that would > require linking against libunbound2; that is unsuitable since > libunbound2 links against OpenSSL. As of unbound 1.5.7, compiling > against libnettle is supported for libunbound2. Doing so would allow > GnuTLS (and other GPL-licensed software) to make use of libunbound2. > Could you please do so? > > Before I do that, I'd like to determine if the nettle support is > considered production ready, and if so will it be supported long term? > Is there any reason to prefer the current OpenSSL crypto implementation > in Unbound, other than it existing longer?
It works fine, but --with-libunbound-only means the unbound daemon (and unbound-checkconf tools) do not get compiled. So, probably unsuitable for the general-purpose package, where people expect the unbound daemon to get installed. The reason the daemon does not compile is that nettle (and libnss, the other crypto library option), have such different ways to handle SSL (or rather, TLS) connections. Best regards, Wouter > > Thanks! >
signature.asc
Description: OpenPGP digital signature
