[Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS

[Simon Josefsson]

Daniel Stenberg <address@hidden> writes:

> On Thu, 3 May 2007, Simon Josefsson wrote:
>
>> I've created some tables with a comparison between common TLS
>> implementations.  I'm running short of ideas on things to compare.
>> Any ideas or suggestions?  The URL is:
>>
>> http://www.gnu.org/software/gnutls/comparison.html
>>
>> What do you think?
>
> I love it! The fact that libcurl supports all three of these also
> makes it a great comparison table for me to point out to libcurl
> users.

Nice.

Btw, I intend to send the link to the OpenSSL/NSS communities, so they
can correct any errors and suggest other things to compare too.

> A few ideas:
>
> - Make the Yes/No boxes use different colors (perhaps green/red) to make it
>   easier to detect the differences when browsing casually.

Done.

> - The multi-threaded situation. With NSS they say no mutex callbacks are
>   necessary, with GnuTLS you need to set them in an _underlying_ crypto
>   library while in OpenSSL you use the OpenSSL API to set them.
>
> - The random seed situation. I don't know about the NSS in this aspect, but
>   again with GnuTLS you need to set them in an _underlying_ crypto library
>   while in OpenSSL you use the OpenSSL API.

Added, under a new "Portability concerns" table.  It got a bit verbose,
comments welcome.

> These two latter points are stuff I've planned to discuss with you to
> fix in a future GnuTLS but I've not yet had the time.

Fixing them would indeed be useful.  I'm not happy with how libgcrypt
creates additional thread-safety concerns for GnuTLS applications, but
fixing it is non-trivial and nobody has offered to work on it or sponsor
such work.

I expect the random seed API problem will be resolved soon, I noticed
some patches went into libgcrypt for this recently.

/Simon