On Sun, 11 Nov 2012 20:13:54 -0800 Daniel L. Miller articulated:
I don't know what the problem is - I just know that I've heard from a number of developers (including the Postfix & Dovecot developers) that they don't like OpenSSL - but while GnuTLS looks interesting they aren't interested in working on the interface - though they're willing to accept patches. (My full apologies right now if Timo or Wietse are offended by my speaking out of turn).
I'm no security expert, but I do know that OpenSSL has had issues with version compatiblity. I had a very troubled time during an OpenSSL/Postfix upgrade that left me non-functional until I found the exact version pairings required.
The tiny bit of Googling I've done tells me GnuTLS seems to be a more standards-compliant implementation, and MAY be "safer" than OpenSSL. However, as OpenSSL is the de-facto standard used by most Linux programs, acceptance of GnuTLS is quite limited. I've been intrigued by what I've read about it, and took a quick look at enabling support in Dovecot for GnuTLS directly - but while it didn't seem overly heavy at first glance the fact that Timo doesn't want to do it tells me I'm underestimating the complexity.
I have OpenSSL 1.0.1c 10 May 2012 installed on a FreeBSD machine that also runs Postfix and Dovecot. When I first updated to the new version from then 0.9x branch there were some minor problems. I believe that there was something Wietse had to do to get Postfix fully functional in the new environment, but it was done extremely quickly. The biggest problem I faced was that I discovered that I had to recompile every program on my system that depended on the new version of Openssl. Once that was done, virtually every problem I experienced disappeared.
I am not aware of any developer who fears using the new version of Openssl, although apparently you do. The fact that a newer version of any software is not totally compatible with an older version is nothing new. I am amazed when they are fully compatible. Openssl is the de facto standard and I think that making a concerted effort to work with it would be a wise choice.
I have also Googled and have not found any evidence that GnuTLS is more "standards compliant" nor "safer". I would be interested in those URLs. I would like to know who is making those claims and what their basis for them actually is.
-- Jerry ♔
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.