[Dovecot] v2.1 memory usage

Daniel L. Miller dmiller at amfes.com
Mon Nov 12 06:13:54 EET 2012


 

On 2012-11-11 17:20, Reindl Harald wrote: 

> Am 12.11.2012 02:11,
schrieb Daniel L. Miller:
> 
>> On 11/6/2012 12:30 PM, Timo Sirainen
wrote: 
>> 
>>> On 6.11.2012, at 17.26, Ed W wrote: 
>>> 
>>>> On
05/11/2012 23:22, Timo Sirainen wrote: 
>>>> 
>>>>> On Mon, 2012-11-05
at 23:40 +0200, Timo Sirainen wrote: This also provides a nice
abstraction to OpenSSL, making it again possible to implement other
backends like GnuTLS or NSS. (Except login process code doesn't use
lib-ssl-iostream yet.)
>>>> Does libtomcrypt implement enough?
>>> It
doesn't do SSL, which is all Dovecot cares about.
>> Can the GnuTLS
OpenSSL compatibility layer be used safely?
> 
> where is the problem
with openssl?

I don't know what the problem is - I just know that I've
heard from a number of developers (including the Postfix & Dovecot
developers) that they don't like OpenSSL - but while GnuTLS looks
interesting they aren't interested in working on the interface - though
they're willing to accept patches. (My full apologies right now if Timo
or Wietse are offended by my speaking out of turn).

I'm no security
expert, but I do know that OpenSSL has had issues with version
compatiblity. I had a very troubled time during an OpenSSL/Postfix
upgrade that left me non-functional until I found the exact version
pairings required.

The tiny bit of Googling I've done tells me GnuTLS
seems to be a more standards-compliant implementation, and MAY be
"safer" than OpenSSL. However, as OpenSSL is the de-facto standard used
by most Linux programs, acceptance of GnuTLS is quite limited. I've been
intrigued by what I've read about it, and took a quick look at enabling
support in Dovecot for GnuTLS directly - but while it didn't seem overly
heavy at first glance the fact that Timo doesn't want to do it tells me
I'm underestimating the complexity.

-- 
Daniel
 


More information about the dovecot mailing list