On 04/30/2015 06:27 PM, Ken Dreyer wrote: > A day or two ago Ceph upstream was just discussing using this library > to support for HTTPS support in its embedded Civetweb server. > nss-compat-ossl is not in Debian/Ubuntu, but we could try to make that > happen... this announcement catches me by surprise. Is this library > essentially dead upstream? Were there issues getting other projects to > use it? There are significant technical problems with this library. Translation of error return codes from called functions is incomplete. It is impossible to implement host name verification. On top of that, you get all the NSS problems: The public NSS API makes supporting STARTTLS rather difficult. NSS has even more global state than OpenSSL, and as a result is quite problematic as an internal dependency. Please do not use nss_compat_ossl. Seriously. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
