On 2-3-2016 23:58, Kyle Bader wrote: >> I looked at libressl a bit. It still has the same license emcumbrances >> as openssl. So no real win there. And, since it's not packaged as part >> of many linux distributions, the gpl/ssleay license incompatibility issue >> becomes a real problem here. Hopefully a future version of libressl will >> adopt a plain bsd license. I know they were working hard to discard >> the crufty openssl build system, a good thing. When I worked with an >> earlier version of openssl (adding a new hash or encryption algorithm, >> I don't remember which today), I remember being disappointed at finding >> internal interfaces that just assumed various max sizes of things. I hope >> the libressl folks work on making those things better too. >> >> I'm not familiar with google's "boringSSL". Do you have some references >> for it? I won't have the time to look at it right now - but I don't mind >> learning at least a bit more about it. I see from wikipedia that it's >> yet another fork of openssl - will they fix the license issue? >> >> I did look (mostly superficially) at, >> botan libressl gnutls matrixssl mbed wolfssl cryptlib nss >> & apple's "secure transport" >> It was mostly superficial because my first question was "are there >> a lot of other people using this" aka "am I going to be debugging >> and supporting this myself"? > > BoringSSL > > https://boringssl.googlesource.com/boringssl/ > > This might also be worth a look: > > https://github.com/awslabs/s2n I myself have spoken to one of the people that works on integration of LibreSSL in FreeBSD ports (he lives in town here). And yes he tells me that it is a lot of work, but mainly because of the "liberties" that openssl allows. And even though LibreSSL attempts to be a plugin replacement, it are these edge corners which do work, but according the API should not, that create the porting pain. So that would be another argument of trying to see if you can hook this in. I'm sure you will find odd bits and pieces that do not work as expected. But in the end it will improve you code quality. Same feeling I have trying to port to FreeBSD. 99,9% is compatible, and sometimes Linuxisms creep in where the do not have to because POSIX is good enough. But you are right, on occassion you will hit a wall and damage you nose. On the other hand, I'm upgrading openssl in all environments I maintain for the 3 or 4th time in 2 years, because of major bugs in openssl. Doesn't say there are no bugs in the other implementations. But it was just a things I was wondering when I saw the implementation come by. And any implementation is beter than none. So thanx for doing the work. --WjW -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
