Menu
▾
▴
Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL
|
From: David W. <dw...@in...> - 2016-02-27 13:16:16
|
> On Fri, 2016-02-26 at 22:36 +0200, Michael Jackson wrote: > >> [...] >> After the heartbleed fiasco, RH has been switching as much as >> possible to use NSS and stopped linking against OpenSSL. NSS is >> probably far more portable than OpenSSL, and would probably be a >> better target for integration. > > I do not believe you are a Red Hat spokesperson, and as far as I know > none of these are true. Red Hat *did* switch a bunch of stuff to NSS in the past but IIRC that was FIPS-related. These days we ought to be doing the opposite -- there are open bugs for things like curl for "does not accept PKCS#11 URI" (#1219544) which could be solved just by building against GnuTLS. Could be made to work with OpenSSL too but requires jumping through extra libp11/engine hoops because OpenSSL doesn't have that support built in ... which brings us nicely back on topic :) NSS at this point is *nit* a better target for integration. Not before https://bugzilla.mozilla.org/show_bug.cgi?id=1161219 and https://bugzilla.mozilla.org/show_bug.cgi?id=1162897 are fixed. -- dwmw2 |
