Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate using OpenSSL (again) #104

Closed
michaelrsweet opened this issue Feb 17, 2021 · 12 comments
Closed

Investigate using OpenSSL (again) #104

michaelrsweet opened this issue Feb 17, 2021 · 12 comments
Assignees
Labels
enhancement New feature or request priority-medium
Milestone

Comments

@michaelrsweet
Copy link
Member

By popular request, will reconsider removal of OpenSSL in CUPS 1.x for CUPS 3.0.

@michaelrsweet michaelrsweet added enhancement New feature or request priority-medium labels Feb 17, 2021
@michaelrsweet michaelrsweet added this to the v3.0 milestone Feb 17, 2021
@DemiMarie
Copy link

Mozilla’s NSS is another alternative, BTW.

@michaelrsweet
Copy link
Member Author

@DemiMarie Perhaps, however if the point is to minimize the number of TLS libraries needed for a minimal install, using OpenSSL is a no-brainer...

@DemiMarie
Copy link

Amazon’s s2n would actually be the one I prefer for server-side use, BTW.

@michaelrsweet
Copy link
Member Author

@DemiMarie Hadn't heard of s2n, but looking at it I see a few issues:

  • They don't want people to look at this as a replacement for OpenSSL.
  • It seems to still depend on OpenSSL's libcrypto for the low-level crypto functions (it just implements the TLS layer).
  • It doesn't implement TLS 1.3.

@DemiMarie
Copy link

@DemiMarie Hadn't heard of s2n, but looking at it I see a few issues:

  • They don't want people to look at this as a replacement for OpenSSL.
  • It seems to still depend on OpenSSL's libcrypto for the low-level crypto functions (it just implements the TLS layer).

The reason I suggested s2n is that it has less attack surface in the TLS layer. OpenSSL’s crypto code has a good track record.

  • It doesn't implement TLS 1.3.

Git master does at least. Not sure if that has made it into a release.

@mikhailnov
Copy link

Are there any reasons why currently used gnutls is worse than OpenSSL?

@mikhailnov
Copy link

mikhailnov commented Nov 8, 2021

As a distro package maintainer, I would ask to avoid using libraries with potentially unstable API and ABI, it will be a pain to maintain (do not know how stable s2n is, but usually such libraries do not maintain backwards compatibility properly and may even forget to bump sonmae when breaking ABI).

@DemiMarie
Copy link

As a distro package maintainer, I would ask to avoid using libraries with potentially unstable API and ABI, it will be a pain to maintain (do not know how stable s2n is, but usually such libraries do not maintain backwards compatibility properly and may even forget to bump sonmae when breaking ABI).

Why do you state this?

@q66
Copy link

q66 commented Jan 14, 2022

would be nice, I would very much like to include CUPS in the main repository of my distribution (since a variety of things needs it or at very least libcups) but I would like to avoid having to pull gnutls in there (it's in another section of the repository); I already have openssl in main, so having this would be great

@michaelrsweet
Copy link
Member Author

This is now implemented (PR #362) for CUPS 2.4.2!

@michaelrsweet michaelrsweet modified the milestones: v3.0, 2.4.2 Mar 31, 2022
@michaelrsweet michaelrsweet self-assigned this Mar 31, 2022
@nanonyme
Copy link

So is this specifically now OpenSSL1 and not OpenSSL3?

@michaelrsweet
Copy link
Member Author

@nanonyme You can use OpenSSL 1.x or 3.x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request priority-medium
Projects
None yet
Development

No branches or pull requests

5 participants