curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Has the time come to drop NSS?

From: Michael Stahl via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 21 Feb 2022 14:40:23 +0100

On 20/02/2022 14.18, Cristian Rodríguez wrote:
> On Fri, Feb 18, 2022 at 12:29 PM Michael Stahl via curl-library
> <curl-library_at_lists.haxx.se> wrote:
>
>> NSS is much preferred over OpenSSL because it has an ABI;
>
> I do not know which openssl version are you basing your analysis on..
> but much work and breakage
> have gone in during and after 1.1.x development cycle to make a stable
> ABI at least possible.
> haven't checked but it is likely that effort continued on 3.x.

so possibly the situation will be improved in 10 years' time.

meanwhile the oldest system our application is supposed to run on
(RHEL7) ships with OpenSSL 1.0.2.

>> OpenSSL on the other hand must be statically linked into every library
>> that uses it because inevitably some system library will load the
>> system's OpenSSL into the process which is a different version and then
>> symbols from 2 shared libs will trample over each other in ELF global
>> namespace and crash is inevitable.
>
> Well.. yeah. that is one of the many downsides of the approach you are taking..
>
>> i believe that the OpenSSL libraries we ship use a hard-coded list of
>> built-in trusted CAs, which the user can't modify in any way, but i
>> haven't actually checked if that is still the case.
>
> You can add a trusted CA before the handshake takes place..so no. it
> is ot the case.

this is not entirely satisfying.

ideally we do not really want to be in the business of deciding for the
user which CAs they do or do not trust.

we can easily make this decision Somebody Else's Problem on Windows and
macOS by using the system TLS stack, at least with curl.

do you know if it's possible to initialize OpenSSL in such a way that it
reads a trust database from the operating system, and do that centrally
for the whole process?

if we would need to patch 4 bundled libraries separately to get
this effect i would be rather sad.

but this could be helpful, in case such a database can be conveniently
located on every distro...

i think we already have this with NSS by using NSS_InitReadWrite().
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-02-21