[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gap-dev-discuss] Quick solution for the Pantomime OpenSSL issue
|
From: |
Yavor Doganov |
|
Subject: |
[Gap-dev-discuss] Quick solution for the Pantomime OpenSSL issue |
|
Date: |
Sat, 02 Aug 2014 23:23:51 +0300 |
|
User-agent: |
Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (Gojō) APEL/10.8 Emacs/23.4 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) |
I am proposing a patch that makes Pantomime use the built-in GnuTLS
support in GNUstep Base as a temporary solution for the licensing
issue. It is a complete replacement (and even enhancement) of the
existing OpenSSL implementation. I'm not pleased with it for reasons
explained below but as the Debian freeze is approaching quickly I have
to do something to keep GNUMail/LuserNET in the next stable release.
Good things:
* It is binary compatible. The patch is also fairly trivial -- so
simple and straightforward that I am a bit amazed that it works.
* All the job is done by Base via GSTLSHandle (or GSSSLHandle) so
there is zero maintenance cost (compared to a fully-fledged GnuTLS
implementation that has to track/adapt to changes in the library).
* I like the idea of delegating the job to something as fundamental as
GNUstep Base. This means that Pantomime doesn't have to link with
GnuTLS at all, and the patch *should* work with Base built with
--disable-tls --enable-openssl (i.e., with the OpenSSL bundle).
* There is a certain degree of flexibility as the behavior can be
controlled via the standardized (by Base) environment variables
GS_TLS_* and the GSTLS* user defaults. For example, you can change
the default GnuTLS priority, or enforce certificate verification.
This is not possible with Pantomime as it is now.
Bad things:
* AFAICS from the Apple documentation this functionality is not
available on MacOS X. If I understand the Base build system
correctly the NSFileHandle enhancements are not available even as
GNUstep Additions. That's why I call it a "temporary" solution.
* I had to resort to using private methods (-read:length: and
-write:length:). Not sure if it is possible at all to use only the
public API; more likely I'm being way too dumb and missing something
obvious. Help here would be greatly appreciated.
* The handshake timeout is hardcoded by Base (30 s) and not the
default timeout that Pantomime sets (60 s). Admittedly, this is a
minor issue.
* If you want to extend the Pantomime API to provide "proper" support
it is almost certain that GSTLS won't be sufficient. For example,
it would be nice if GNUMail displayed the invalid certificate and
allowed the user to inspect it and eventually add an exception. Or
to provide better error handling so that apps can display good and
descriptive error messages. Another reason why this patch can be
treated as a temporary solution only.
* It won't work with older GNUstep Base releases as the GSTLS stuff
was added fairly recently. Not sure how important is this given
that GNUMail from SVN trunk can't be built with Base 1.22.
Comments welcome.
gstls.patch
Description: Text document
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gap-dev-discuss] Quick solution for the Pantomime OpenSSL issue,
Yavor Doganov <=