One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I had decided that part of the next major update to SSL should include switching from OpenSSL to PolarSSL. Why? Two reasons. (1) The OpenSSL API is awful, and poorly documented to boot. We have to go through some rather unpleasant contortions in the socket module to accommodate it. AFAICT, this would be less of a problem with PolarSSL. (2) OpenSSL is less secure. Since I had this thought, I've been paying attention to which SSL implementations respond first to each exploit. For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently last, with GnuTLS and NSS in between. Heartbleed was an *entirely OpenSSL-specific* bug that never affected PolarSSL in the first place. The "BSD style" OpenSSL license has also caused some concern before. While those concerns have been minor, PolarSSL is straight GPLv2+ so even those should go away. The one negative I've found is that, while PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into RHEL (including RHEL7) yet. So, before I expend a ton of effort replacing this code, does anyone else think it shouldn't be done and that the enhancements should be made to the current OpenSSL code instead? _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-devel
