Let's drop support for NSS!

David Woodhouse dwmw2 at infradead.org
Sat Sep 13 06:17:19 EDT 2014


>
> On 13 sep. 2014, at 11:21, David Woodhouse <dwmw2 at infradead.org> wrote:
>
>>
>>> 2014-09-13 1:13 GMT+02:00 Mark Doliner <mark at kingant.net>:
>>>
>>>> The biggest problem I see with dropping NSS is that we currently use
>>>> it in our Windows builds. But GnuTLS publishes Windows builds [3].
>>>> Even if we can't use their Windows builds, seems promising that it's
>>>> at least buildable on Windows. I haven't actually tried, though.
>>>>
>>>> So, what do people think? Any objections? Are people ok with me
>>>> ripping out NSS without having a solution for building on Windows?
>>>> Would anyone else be able to tackle that?
>>>>
>>>
>>> Current main branch builds with both GnuTLS and NSS (at least, it
>>> should)
>>> -
>>> either with the "old" and the autoconf-based buildsystem.
>>>
>>> If there were any problems with dropping any of these libraries on
>>> Windows,
>>> I can handle that.
>>
>> I don't think GnuTLS on Windows should pose many problems. We build the
>> OpenConnect VPN client on Windows using GnuTLS... and the person
>> spending
>> most time on that port is the GnuTLS maintainer :)
>>
>> I certainly wouldn't be sorry to see the back of the NSS/Lync
>> compatibilty
>> issue and having to tell users to export
>> NSS_SSL_CBC_RANDOM_IV=0 to make it work.
>
> Picking a TLS implementation based on the security fixes it lacks doesn’t
> sound like the greatest idea to me.

I forget the details but I'm fairly sure GnuTLS doesn't *lack* BEAST
mitigation. It's just that it does a better job of working around the
Microsoft brokenness.


-- 
dwmw2



More information about the Devel mailing list