On Mon, 2017-04-10 at 15:52 +0200, Kai Engert wrote: > On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote: > > Anyway, I guess we should move this discussion to some curl- or nss-related > > channel... > > The question remains, if it makes sense to switch back to openssl, if the > consequence is a loss in completeness of certificate trust checking. > > In my opinion, a little bit of space saving shouldn't be a sufficient argument > for removing existing security functionality. FWIW I don't care much about "a little bit of space saving". I've been advocating that we build curl against something other than NSS for a long time, given that it violates our packaging guidelines because NSS doesn't properly integrate with the p11-kit configured tokens and doesn't support RFC7512 — and nss-pem fails to support lots of key files. I was thinking of GnuTLS though, which AUIU *would* have supported the non-trivial trust metadata because it uses p11-kit-trust.so/libnssckbi just like NSS does. I'm not sure what reasoning there was for switching to OpenSSL instead of GnuTLS...?
<<attachment: smime.p7s>>
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
