Alternative to BOTAN: OpenSSL
Tomek Mrugalski
tomasz at isc.org
Wed Apr 16 10:38:24 UTC 2014
We were told by mutliple sources (specifically, coming from FreeBSD
community and RedHat) that Kea dependency on Botan is an issue. I heard
the concerns coming from FreeBSD only second (or third) hand, so I can't
comment on their accuracy, but the issue was that to ever consider Kea
(or BIND10 DNS) for a default installation, it would require adding
extra library to base installation. The problem was not with botan being
unavailable.
The second objection to Botan was coming from RedHat. Thomas Hozza said
that RedHat has certification procedures and 3 crypto libraries passed
defailed security audit: NSS, GNUTLS and OpenSSL. They are unwilling to
go through the hoops to certify fourth library (botan).
Our plan was to get rid of Botan completely and replace it with OpenSSL,
as it is available everywhere and universally accepted. However, due to
recent developments with Heartbleed, people may revisit their
unconditional belief in OpenSSL. And so should we.
I'd like to propose changing our goal wrt to Botan/OpenSSL a bit.
Instead of replacing Botan with OpenSSL as crypto provider, we should
have the capability to use either. Depending on the availability (or
parameter passed to ./configure) we could use Botan or OpenSSL.
For people who are alergic to Botan, we would recommend OpenSSL. And
vice versa.
Thoughts? Comments?
Tomek
More information about the kea-dev
mailing list