[Kea-users] Botan vs. OpenSSL dependency for Kea
Francis Dupont
fdupont at isc.org
Fri Mar 4 08:03:54 UTC 2016
Adam Majer writes:
> The configure script seems to prefer Botan over OpenSSL. I'm uncertain
> if this is intentional or arbitrary.
=> it is intentional.
> Is there any benefit of using Botan over OpenSSL with Kea, aside of
> reduced dependency list? Is one crypto backend better tested?
=> at the beginning the only supported crypto backend was Botan which
does the job and has a number of advantages, for instance it is written
in C++. But for some reasons, mainly not technical, some customers
asked for an alternative crypto backend. So I chose OpenSSL because
it was available everywhere and SoftHSMv2 was a good example of
a tool using Botan and OpenSSL backends.
So the idea was and still is to provide flexibility in the crypto
backend choice. Note we use only hash and hmac low level functions
so Kea was, is and likely will never be affected by security bugs
which can be found in Botan and/or OpenSSL.
Regards
Francis Dupont <fdupont at isc.org>
PS: there is a pending fix for the cryptolink library code which requires
an OpenSSL version > 9.8. BTW versions <= 9.8 were phased out at the end
of 2015 so anyway should be no longer used.
More information about the Kea-users
mailing list