On Thursday, April 13, 2017 10:45:13 David Woodhouse wrote: > On Mon, 2017-04-10 at 15:52 +0200, Kai Engert wrote: > > On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote: > > > Anyway, I guess we should move this discussion to some curl- or > > > nss-related channel... > > > > The question remains, if it makes sense to switch back to openssl, if the > > consequence is a loss in completeness of certificate trust checking. > > > > In my opinion, a little bit of space saving shouldn't be a sufficient > > argument for removing existing security functionality. > > FWIW I don't care much about "a little bit of space saving". > > I've been advocating that we build curl against something other than > NSS for a long time, given that it violates our packaging guidelines > because NSS doesn't properly integrate with the p11-kit configured > tokens and doesn't support RFC7512 — and nss-pem fails to support lots > of key files. > > I was thinking of GnuTLS though, which AUIU *would* have supported the > non-trivial trust metadata because it uses p11-kit-trust.so/libnssckbi > just like NSS does. > > I'm not sure what reasoning there was for switching to OpenSSL instead > of GnuTLS...? It was not my decision to be honest. Nevertheless, one objective reason could be that libcurl already loads OpenSSL libraries transitively as a dependency of libssh2. So after switching libcurl to OpenSSL, only one crypto library will be sufficient for curl at run time. Kamil _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
