Mailing List Archive

Oh, excellent feedback. And I thought that openssl is the workhorse of os tls - wrong preception obviously ;)

Can you point me to the problem description? What would i need to exempt?

Is any of the alternates suitable for production use, especially in a highly threaded environment? GNU, from the name, sounds appealing...

Any advise is deeply appreciated.

Thanks,
rainer

----- Urspr?ngliche Nachricht -----
Von: "Michael Biebl" <mbiebl at gmail.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 31.03.08 19:16
Betreff: [rsyslog] openssl vs rsyslog

Hi Rainer,

I noticed that you added an openssl configure check. That probably
means, that you plan to add native SSL support via openssl. Please
note that OpenSSL and the GPL are incompatible [1], such packages are
usually rejected from Debian. You have two options:
- Either add a special exemption for OpenSSL
- Use another SSL implementation like GnuTLS [2] or NSS [3]


Cheers,
Michael

[1] http://www.gnome.org/~markmc/openssl-and-the-gpl.html
[2] http://www.gnu.org/software/gnutls/
[3] http://www.mozilla.org/projects/security/pki/nss/
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

2008/3/31, Rainer Gerhards <rgerhards at hq.adiscon.com>:
> Oh, excellent feedback. And I thought that openssl is the workhorse of os tls - wrong preception obviously ;)
>
> Can you point me to the problem description? What would i need to exempt?

Google for "openssl gpl" and you should find relevant information.
E.g. [1] tries to summarize the problem.
It also has a proposal for such a OpensSSL exemption. You should add
this addendum to COPYING and probably also ship the original OpenSSL
COPYING file (e.g. as COPYING.OpenSSL)

>
> Is any of the alternates suitable for production use, especially in a highly threaded environment? GNU, from the name, sounds appealing...


A prominent example of a project using GnuTLS is e.g. samba (if it's
highly threaded, I don't know). OpenLDAP in Debian also uses GnuTLS.
A prominent example of a project using NSS is mozilla/firefox/thunderbird.

I think the more widely used library is GnuTLS. I really don't have
that much experience with either of these libraries, so it's hard to
give a recommendation.

Cheers,
Michael


> [1] http://www.gnome.org/~markmc/openssl-and-the-gpl.html
> [2] http://www.gnu.org/software/gnutls/
> [3] http://www.mozilla.org/projects/security/pki/nss/


--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

On Mon, 2008-03-31 at 20:34 +0200, Michael Biebl wrote:
> 2008/3/31, Rainer Gerhards <rgerhards at hq.adiscon.com>:
> > Oh, excellent feedback. And I thought that openssl is the workhorse of os tls - wrong preception obviously ;)
> >
> > Can you point me to the problem description? What would i need to exempt?
>
> Google for "openssl gpl" and you should find relevant information.
> E.g. [1] tries to summarize the problem.
> It also has a proposal for such a OpensSSL exemption. You should add
> this addendum to COPYING and probably also ship the original OpenSSL
> COPYING file (e.g. as COPYING.OpenSSL)
>
> >
> > Is any of the alternates suitable for production use, especially in a highly threaded environment? GNU, from the name, sounds appealing...
>
>
> A prominent example of a project using GnuTLS is e.g. samba (if it's
> highly threaded, I don't know). OpenLDAP in Debian also uses GnuTLS.
> A prominent example of a project using NSS is mozilla/firefox/thunderbird.
>
> I think the more widely used library is GnuTLS. I really don't have
> that much experience with either of these libraries, so it's hard to
> give a recommendation.
>

the library that a lot of folks inside red hat and fedora are driving
people to is the mozilla nss library. It handles all the bits openssl
does and w/o the licensing problems.

-sv

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Michael Biebl
> Sent: Monday, March 31, 2008 8:35 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] openssl vs rsyslog
>
> 2008/3/31, Rainer Gerhards <rgerhards at hq.adiscon.com>:
> > Oh, excellent feedback. And I thought that openssl is the
> workhorse of os tls - wrong preception obviously ;)
> >
> > Can you point me to the problem description? What would i
> need to exempt?
>
> Google for "openssl gpl" and you should find relevant information.
> E.g. [1] tries to summarize the problem.
> It also has a proposal for such a OpensSSL exemption. You should add
> this addendum to COPYING and probably also ship the original OpenSSL
> COPYING file (e.g. as COPYING.OpenSSL)

Yes - sorry. I overlooked the link on the PDA. Will mow read through it.
But if openssl means trouble, I'll prefer to stay away from it unless
there is *very* good reason. You wake-up call was *right* in time. I
planned to do some major hacking tomorrow - nothing lost so far :) [.and,
in case you wonder, yes, initial RELP is done ;)].

> > Is any of the alternates suitable for production use,
> especially in a highly threaded environment? GNU, from the
> name, sounds appealing...
>
>
> A prominent example of a project using GnuTLS is e.g. samba (if it's
> highly threaded, I don't know). OpenLDAP in Debian also uses GnuTLS.
> A prominent example of a project using NSS is
> mozilla/firefox/thunderbird.
>
> I think the more widely used library is GnuTLS. I really don't have
> that much experience with either of these libraries, so it's hard to
> give a recommendation.

At least it doesn't sound too bad ;)

Anyone with experience please comment.

Thanks again,
Rainer
>
> Cheers,
> Michael
>
>
> > [1] http://www.gnome.org/~markmc/openssl-and-the-gpl.html
> > [2] http://www.gnu.org/software/gnutls/
> > [3] http://www.mozilla.org/projects/security/pki/nss/
>
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Don't know if this helps, or if you got the same from COPYING.Openssl.
http://www.openssl.org/support/faq.html#LEGAL1


Rainer Gerhards wrote:
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com
>> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Michael Biebl
>> Sent: Monday, March 31, 2008 8:35 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] openssl vs rsyslog
>>
>> 2008/3/31, Rainer Gerhards <rgerhards at hq.adiscon.com>:
>>> Oh, excellent feedback. And I thought that openssl is the
>> workhorse of os tls - wrong preception obviously ;)
>>> Can you point me to the problem description? What would i
>> need to exempt?
>>
>> Google for "openssl gpl" and you should find relevant information.
>> E.g. [1] tries to summarize the problem.
>> It also has a proposal for such a OpensSSL exemption. You should add
>> this addendum to COPYING and probably also ship the original OpenSSL
>> COPYING file (e.g. as COPYING.OpenSSL)
>
> Yes - sorry. I overlooked the link on the PDA. Will mow read through it.
> But if openssl means trouble, I'll prefer to stay away from it unless
> there is *very* good reason. You wake-up call was *right* in time. I
> planned to do some major hacking tomorrow - nothing lost so far :) [.and,
> in case you wonder, yes, initial RELP is done ;)].
>
>>> Is any of the alternates suitable for production use,
>> especially in a highly threaded environment? GNU, from the
>> name, sounds appealing...
>>
>>
>> A prominent example of a project using GnuTLS is e.g. samba (if it's
>> highly threaded, I don't know). OpenLDAP in Debian also uses GnuTLS.
>> A prominent example of a project using NSS is
>> mozilla/firefox/thunderbird.
>>
>> I think the more widely used library is GnuTLS. I really don't have
>> that much experience with either of these libraries, so it's hard to
>> give a recommendation.
>
> At least it doesn't sound too bad ;)
>
> Anyone with experience please comment.
>
> Thanks again,
> Rainer
>> Cheers,
>> Michael
>>
>>
>>> [1] http://www.gnome.org/~markmc/openssl-and-the-gpl.html
>>> [2] http://www.gnu.org/software/gnutls/
>>> [3] http://www.mozilla.org/projects/security/pki/nss/
>>
>> --
>> Why is it that all of the instruments seeking intelligent life in the
>> universe are pointed away from Earth?
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

--
Milton Calnek BSc, A/Slt(Ret.)
milton at calnek.com
306-717-8737


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Hi sv,

> the library that a lot of folks inside red hat and fedora are driving
> people to is the mozilla nss library. It handles all the bits openssl
> does and w/o the licensing problems.

Sounds promising. I just found

http://www.gnu.org/software/gnutls/comparison.html


And that makes GNU TLS quite appealing (no wonder given the source ;)).
Do you happen to have a link which tells why use nss? That would be
excellent (but I am of course searching myself).

Thanks,
Rainer

2008/3/31, seth vidal <skvidal at fedoraproject.org>:
> > A prominent example of a project using GnuTLS is e.g. samba (if it's
> > highly threaded, I don't know). OpenLDAP in Debian also uses GnuTLS.
> > A prominent example of a project using NSS is mozilla/firefox/thunderbird.
> >
> > I think the more widely used library is GnuTLS. I really don't have
> > that much experience with either of these libraries, so it's hard to
> > give a recommendation.
> >
>
>
> the library that a lot of folks inside red hat and fedora are driving
> people to is the mozilla nss library. It handles all the bits openssl
> does and w/o the licensing problems.

Interesting to know. Do you know any technical advantages of NSS over
GnuTLS (stability, features, nicer API, etc)?
At least on Debian I had the impression that GnuTLS was the preferred solution.
E.g. samba, openldap and exim4 are originally using openssl but
contain a patch to use GnuTLS in Debian.
One reason might be, that libgnutls is quite a bit smaller:
gnutls: installed size (on i386): 920 kb [1]
libnss3: installed size (on i386): 2472 kb, also requires the netscape
portable runtime library libnpr (588 kb) => ~3Mb [2]
Which imho is a plus for GnuTLS.


[1] http://packages.debian.org/sid/libgnutls26
[2] http://packages.debian.org/sid/libnss3-1d
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

On Mon, 2008-03-31 at 21:10 +0200, Rainer Gerhards wrote:
> Hi sv,
>
> > the library that a lot of folks inside red hat and fedora are driving
> > people to is the mozilla nss library. It handles all the bits openssl
> > does and w/o the licensing problems.
>
> Sounds promising. I just found
>
> http://www.gnu.org/software/gnutls/comparison.html
>
>
> And that makes GNU TLS quite appealing (no wonder given the source ;)).
> Do you happen to have a link which tells why use nss? That would be
> excellent (but I am of course searching myself).
>


nss is fips certified:

http://www.mozilla.org/projects/security/pki/nss/fips/

which makes it easier to use in large gov't agencies.

gnutls is not certified.

nss is also where the fedora/red hat crypto consolidation is going....

there is also an api-helper library for transitioning from openssl to
nss.

if at all possible, go with nss.

-sv

On Mon, 2008-03-31 at 21:18 +0200, Michael Biebl wrote:
> Interesting to know. Do you know any technical advantages of NSS over
> GnuTLS (stability, features, nicer API, etc)?

openssl transition library
fips certification.

http://www.mozilla.org/projects/security/pki/nss/fips/

the second one being the most important, I think.

-sv

2008/3/31, seth vidal <skvidal at fedoraproject.org>:
> On Mon, 2008-03-31 at 21:18 +0200, Michael Biebl wrote:
> > Interesting to know. Do you know any technical advantages of NSS over
> > GnuTLS (stability, features, nicer API, etc)?
>
>
> openssl transition library
> fips certification.
>
> http://www.mozilla.org/projects/security/pki/nss/fips/
>
> the second one being the most important, I think.

Yeah, the openssl transition library doesn't concern us.

Why is the fips certification important for rsyslog?

Cheers,
Michael

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

> > Interesting to know. Do you know any technical advantages
> of NSS over
> > GnuTLS (stability, features, nicer API, etc)?
>
> openssl transition library
> fips certification.
>
> http://www.mozilla.org/projects/security/pki/nss/fips/
>
> the second one being the most important, I think.
>
> -sv

FIPS is a strong selling point, I have to admit. Especially as rsyslog
is heading towards the compliance space and trying to be as tamper-proof
as possible. On a quick lock, GNUTLS looks a bit nicer to me (the NSPL
doesn't sound really good whereas the GNUTLS zlib implementations solves
something I intended to do). But FIPS...

Rainer

Whatever I do - I'll try to create a small driver shim so that hopefully
different libraries could be used together with rsyslog. It depends on
the APIs, but in general that should not be too hard (but practice often
tells the difference).

On FIPS I made I comment, where I think the mails crossed.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Michael Biebl
> Sent: Monday, March 31, 2008 9:27 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] openssl vs rsyslog
>
> 2008/3/31, seth vidal <skvidal at fedoraproject.org>:
> > On Mon, 2008-03-31 at 21:18 +0200, Michael Biebl wrote:
> > > Interesting to know. Do you know any technical
> advantages of NSS over
> > > GnuTLS (stability, features, nicer API, etc)?
> >
> >
> > openssl transition library
> > fips certification.
> >
> > http://www.mozilla.org/projects/security/pki/nss/fips/
> >
> > the second one being the most important, I think.
>
> Yeah, the openssl transition library doesn't concern us.
>
> Why is the fips certification important for rsyslog?
>
> Cheers,
> Michael
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Related question: does anybody know of a (sufficiently good) library
that abstracts differences between TLS implementation. I mean in the way
libdbi does for databases? It's obviously not important to have more
than one driver available at runtime, but it would be necessary to be
able to link against different TLS implementation.

If anybody has a suggestion, please let me know.

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, March 31, 2008 9:30 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] openssl vs rsyslog
>
> Whatever I do - I'll try to create a small driver shim so that
> hopefully
> different libraries could be used together with rsyslog. It depends on
> the APIs, but in general that should not be too hard (but practice
> often
> tells the difference).
>
> On FIPS I made I comment, where I think the mails crossed.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com
> > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Michael
Biebl
> > Sent: Monday, March 31, 2008 9:27 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] openssl vs rsyslog
> >
> > 2008/3/31, seth vidal <skvidal at fedoraproject.org>:
> > > On Mon, 2008-03-31 at 21:18 +0200, Michael Biebl wrote:
> > > > Interesting to know. Do you know any technical
> > advantages of NSS over
> > > > GnuTLS (stability, features, nicer API, etc)?
> > >
> > >
> > > openssl transition library
> > > fips certification.
> > >
> > > http://www.mozilla.org/projects/security/pki/nss/fips/
> > >
> > > the second one being the most important, I think.
> >
> > Yeah, the openssl transition library doesn't concern us.
> >
> > Why is the fips certification important for rsyslog?
> >
> > Cheers,
> > Michael
> >
> > --
> > Why is it that all of the instruments seeking intelligent life in
the
> > universe are pointed away from Earth?
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Hi,

On Tuesday 01 April 2008 08:56:45 am Rainer Gerhards wrote:
> Related question: does anybody know of a (sufficiently good) library
> that abstracts differences between TLS implementation. I mean in the way
> libdbi does for databases? It's obviously not important to have more
> than one driver available at runtime, but it would be necessary to be
> able to link against different TLS implementation.
>
> If anybody has a suggestion, please let me know.

you can look at nss_compat_ossl
http://rcritten.fedorapeople.org/nss_compat_ossl.html
http://fedoraproject.org/wiki/nss_compat_ossl

but when I talked to guy who work on Fedora Crypto Consolidation it was
suggested not to use the abstract library, since all these TLS
implementations have kind of different "philosophy". It would be much cleaner
to use separate plugins for different TLS.

Note, that we will appreciate a lot going with NSS.
http://fedoraproject.org/wiki/FedoraCryptoConsolidation
http://fedoraproject.org/wiki/CryptoConsolidationEval

> Thanks,
> Rainer

Hi all,

> http://fedoraproject.org/wiki/FedoraCryptoConsolidation
> http://fedoraproject.org/wiki/CryptoConsolidationEval

This material (the big picture) is quite convincing. Are there similar
efforts in other distros?

To make a point, I'll probably start developing an as slim as possible
abstraction layer as a side-project (much like librelp) and see what I
can do with it. I'll probably start with NSS and then see what it take
to move the other libs in. My initial focus will be on "get it going",
so it will not be a very secure solution at first.

All comments are still very welcome and will be considered. I just
thought it would be good to do a sum-up of my current thinking.

Rainer