[Development] Hacking guide for Qt's SSL Support
Richard Moore
rich at kde.org
Mon Jan 2 13:14:10 CET 2012
On Sun, Jan 1, 2012 at 10:19 PM, Robin Burchell <robin+qt at viroteck.net> wrote:
> Hi,
>
> 2012/1/1 Andreas Aardal Hanssen <andreas at hanssen.name>:
>> [*] http://www.gnu.org/software/gnutls/ - dropped because it clearly staged
>> it was in early Alpha stage at the time, which I find to be really scary for
>> a security framework, and currently I don't think the licensing looks very
>> interesting. If OpenSSL does the job then why use GnuTLS?
>
> For what it's worth, I used to work on an application supporting both
> GnuTLS and OpenSSL. Our usage of OpenSSL ended up running into a few
> obscure, very hard-to-track bugs thanks to really obtuse API. GnuTLS
> had no such issues, and as such, was our recommended solution - and
> I'm hard pressed to think of many cases of bugs that we ever heard of
> that were caused by it.
Openssl is certainly pretty hard to debug, and the documentation
varies from poor to non-existent. I haven't looked into GNUTLS for
some time, so I'm not sure how full-featured it is these days. I'll
have another look.
>
> With regards to the question of library independence, I'd still argue
> that it's generally a good idea to be able to easily swap SSL
> implementations, and to avoid exposing library-specific details to
> clients. It's not something I feel too strongly about, though, as I
> certainly don't have any intention to write a GnuTLS backend anytime
> soon, even if it is something I'd enjoy seeing as a proof-of-concept.
I definitely agree that keeping the API separate from the
implementation is a good thing. There are however real users who rely
on the handle() methods and use those to provide additional
functionality by calling into openssl directly. Continuing to support
those users means that any new backend would probably have to be an
addition, not a replacement (and maintaining two backends would be a
burden).
>
> With regards to licensing, GnuTLS's LGPL license is certainly a lot
> more straightforward than the OpenSSL situation, but again, I don't
> feel strongly about this personally.
Yes, that is definitely an advantage of GNUTLS.
Cheers
Rich.
More information about the Development
mailing list