Let's drop support for NSS!
dwmw2 at infradead.org
Sat Sep 13 06:17:15 EDT 2014
> On 13 sep. 2014, at 11:21, David Woodhouse <dwmw2 at infradead.org> wrote:
>>> 2014-09-13 1:13 GMT+02:00 Mark Doliner <mark at kingant.net>:
>>>> The biggest problem I see with dropping NSS is that we currently use
>>>> it in our Windows builds. But GnuTLS publishes Windows builds .
>>>> Even if we can't use their Windows builds, seems promising that it's
>>>> at least buildable on Windows. I haven't actually tried, though.
>>>> So, what do people think? Any objections? Are people ok with me
>>>> ripping out NSS without having a solution for building on Windows?
>>>> Would anyone else be able to tackle that?
>>> Current main branch builds with both GnuTLS and NSS (at least, it
>>> either with the "old" and the autoconf-based buildsystem.
>>> If there were any problems with dropping any of these libraries on
>>> I can handle that.
>> I don't think GnuTLS on Windows should pose many problems. We build the
>> OpenConnect VPN client on Windows using GnuTLS... and the person
>> most time on that port is the GnuTLS maintainer :)
>> I certainly wouldn't be sorry to see the back of the NSS/Lync
>> issue and having to tell users to export
>> NSS_SSL_CBC_RANDOM_IV=0 to make it work.
> Picking a TLS implementation based on the security fixes it lacks doesn’t
> sound like the greatest idea to me.
I forget the details but I'm fairly sure GnuTLS doesn't *lack* BEAST
mitigation. It's just that it does a better job of working around the
More information about the Devel