[Ach] Webserver: IBM Http Server (IHS)

Adi Kriegisch adi at kriegisch.at
Fri Mar 28 17:57:17 CET 2014


> +1, supporting other libraries than OpenSSL would be interesting, but there has been a decision to stick to OpenSSL for the time being.
I wouldn't call it a decision, it is rather "normative power of the
factual" (normative Kraft des Faktischen):
Almost all packaged software out there uses OpenSSL. Some software (mainly
on Debian) uses gnutls which is great but has some shortcomings:
* gnutls version in current stable is very old and lacking upstream
* there are less options to chose from:
  - no dh parameter selection (x)
  - no curve selection (x)
  - cipher string composition isn't as fine grained (xx)
  (and probably more)
(x) the functionality would be in the gnutls api but isn't exposed in the
    config files of the services that use gnutls.
(xx) this improved alot in recent gnutls versions.

I'd love to see more software use gnutls, polarssl, nacl, ... but with
batteries included (more and better configuration options). I totally
agree with what Poul-Henning Kamp[1][2] said on FOSDEM about OpenSSL.
In other news[3] gmp6 was released (on which gnutls relys for example); now
go and read the misc section: we're far from getting anywhere with reliable

-- Adi

[1] http://phk.freebsd.dk/_downloads/FOSDEM_2014.pdf
[2] https://www.youtube.com/watch?v=fwcl17Q0bpk
[3] https://gmplib.org/gmp6.0.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140328/c6309a0f/attachment.sig>

More information about the Ach mailing list