<html><head></head><body>The only thing that I find that may be an issue for some use cases is <a href="https://polarssl.org/kb/generic/is-polarssl-fips-certified">https://polarssl.org/kb/generic/is-polarssl-fips-certified</a><br><br><div class="gmail_quote">On May 27, 2014 6:43:54 AM PDT, Jeff Darcy <jdarcy@redhat.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I<br />had decided that part of the next major update to SSL should include<br />switching from OpenSSL to PolarSSL. Why? Two reasons.<br /><br />(1) The OpenSSL API is awful, and poorly documented to boot. We have to<br />go through some rather unpleasant contortions in the socket module to<br />accommodate it. AFAICT, this would be less of a problem with PolarSSL.<br /><br />(2) OpenSSL is less secure. Since I had this thought, I've been paying<br />attention to which SSL implementations respond first to each exploit.<br />For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently last,<br />with GnuTLS and NSS in between. Heartbleed was an *entirely<br />OpenSSL-specific* bug that never affected PolarSSL in the first place.<br /><br />The "BSD style" OpenSSL license has also caused some concern before.<br />While those concerns have been minor, PolarSSL is straight GPLv2+ so<br
/>even those should go away. The one negative I've found is that, while<br />PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into<br />RHEL (including RHEL7) yet.<br /><br />So, before I expend a ton of effort replacing this code, does anyone<br />else think it shouldn't be done and that the enhancements should be made<br />to the current OpenSSL code instead?<br /><hr /><br />Gluster-devel mailing list<br />Gluster-devel@gluster.org<br /><a href="http://supercolony.gluster.org/mailman/listinfo/gluster-devel">http://supercolony.gluster.org/mailman/listinfo/gluster-devel</a><br /></pre></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>