Re: [Nmh-workers] Starting the final call for features for 1.7

[Ken Hornstein]

>Idly, http://www.libressl.org/ is one alternative, aiming to improve the code
>quality amongst other things.  It includes a new libtls "designed to
>make it easier to write foolproof applications" as well as "libssl: a
>TLS library, backwards-compatible with OpenSSL".

Well, I can tell you that's how _I_ want to spend my free time: porting
our code to OTHER TLS IMPLEMENTATIONS! :-)

In seriousness ... this is a tough one.  I have zero love for the OpenSSL
API (I wish someone would sit down and write how they expect memory
management to work), but as far as I can tell it is by far the most
popular TLS implementation out there; you're guaranteed to find either
it shipped with the operating system or an available package of it.
In terms of "mindshare", my extremely unscientific survey suggests that
the second most popular TLS implementation is GnuTLS.

I had not heard of LibreSSL ... I mean, if people want to use it using
the the backwards-compatible OpenSSL interface, that seems pretty
straightforward.  Our use of the OpenSSL API is actually pretty small,
and is now concentrated in one file; porting to a new TLS implementation
should be pretty easy.  If someone wants to do it, more power to them!

As for BoringSSL ... well, they say this:

  Although BoringSSL is an open source project, it is not intended for
  general use, as OpenSSL is. We don't recommend that third parties
  depend upon it. Doing so is likely to be frustrating because there are
  no guarantees of API or ABI stability.

I mean, I understand why it exists; it's designed for binary package
distrbution.  But I don't think it would be useful for us; it would have
all of the disadvantages of OpenSSL, but none of the advantages.

--Ken