[Dovecot] v2.1 memory usage

Jerry jerry at seibercom.net
Mon Nov 12 13:54:37 EET 2012


On Sun, 11 Nov 2012 20:13:54 -0800
Daniel L. Miller articulated:

> I don't know what the problem is - I just know that I've
> heard from a number of developers (including the Postfix & Dovecot
> developers) that they don't like OpenSSL - but while GnuTLS looks
> interesting they aren't interested in working on the interface -
> though they're willing to accept patches. (My full apologies right
> now if Timo or Wietse are offended by my speaking out of turn).
> 
> I'm no security
> expert, but I do know that OpenSSL has had issues with version
> compatiblity. I had a very troubled time during an OpenSSL/Postfix
> upgrade that left me non-functional until I found the exact version
> pairings required.
> 
> The tiny bit of Googling I've done tells me GnuTLS
> seems to be a more standards-compliant implementation, and MAY be
> "safer" than OpenSSL. However, as OpenSSL is the de-facto standard
> used by most Linux programs, acceptance of GnuTLS is quite limited.
> I've been intrigued by what I've read about it, and took a quick look
> at enabling support in Dovecot for GnuTLS directly - but while it
> didn't seem overly heavy at first glance the fact that Timo doesn't
> want to do it tells me I'm underestimating the complexity.

I have OpenSSL 1.0.1c 10 May 2012 installed on a FreeBSD machine that
also runs Postfix and Dovecot. When I first updated to the new version
from then 0.9x branch there were some minor problems. I believe that
there was something Wietse had to do to get Postfix fully functional in
the new environment, but it was done extremely quickly. The biggest
problem I faced was that I discovered that I had to recompile every
program on my system that depended on the new version of Openssl. Once
that was done, virtually every problem I experienced disappeared.

I am not aware of any developer who fears using the new version of
Openssl, although apparently you do. The fact that a newer version of
any software is not totally compatible with an older version is nothing
new. I am amazed when they are fully compatible. Openssl is the de
facto standard and I think that making a concerted effort to work with
it would be a wise choice.

I have also Googled and have not found any evidence that GnuTLS is more
"standards compliant" nor "safer". I would be interested in those URLs.
I would like to know who is making those claims and what their basis
for them actually is.

-- 
Jerry ♔

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________



More information about the dovecot mailing list