On 2012-11-12 20:44, Timo Sirainen wrote:
On 12.11.2012, at 6.13, Daniel L. Miller wrote:
The tiny bit of Googling I've done tells me GnuTLS seems to be a more standards-compliant implementation, and MAY be "safer" than OpenSSL. However, as OpenSSL is the de-facto standard used by most Linux programs, acceptance of GnuTLS is quite limited. I've been intrigued by what I've read about it, and took a quick look at enabling support in Dovecot for GnuTLS directly - but while it didn't seem overly heavy at first glance the fact that Timo doesn't want to do it tells me I'm underestimating the complexity.
I already once wrote GnuTLS support for Dovecot, but GnuTLS changed its APIs since then and it was probably originally already buggy. I think the only somewhat "special" APIs that Dovecot needs nowadays are related to reading cert/keys from memory instead of from files. If GnuTLS can do that, I don't think there's anything special in supporting it. Although it might be a bit complex to make it work properly asynchronously. istream-openssl was a bit annoying in that way (all the data read from the fd must be parsed and decoded all the way through to the SSL istream, regardless of any max buffer limits).
A while ago, I started working on GnuTLS support for Dovecot. While I didn't finish the implementation due to time constraints (the "abstract" API of lib-ssl-iostream is made for OpenSSL and you have to emulate some things), I think it would be possible to add GnuTLS support and with GnuTLS it would be possible to load X.509 certificates from memory.
Regards, Matthias-Christian