Project

General

Profile

Feature #109

closed

GnuTLS support for the mod_ssl

Added by Anonymous over 15 years ago. Updated 3 months ago.

Status:
Fixed
Priority:
Low
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:
No

Description

any objections against adding gnutls support?

#1

Updated by jan about 15 years ago

no, but noone wrote a patch up to now.

#2

Updated by the-me almost 12 years ago

I would love to have this feature - name based virtual hosts on SSL are really a neccessity now.

#3

Updated by ckujau about 9 years ago

+1 from me, especially since the new TLSv1.0 vuln has been disclosed: https://www.net-security.org/secworld.php?id=11664

GnuTLS has TLSv1.2 support since 2.9.8 (released 2009-11-05)

#4

Updated by gstrauss over 4 years ago

  • Description updated (diff)
  • Category changed from core to TLS
  • Assignee deleted (jan)
#5

Updated by gstrauss over 4 years ago

  • Status changed from New to Need Feedback

I build gnutls with:
[gnutls-3.4.2]$ ./configure -C --enable-openssl-compatibility --disable-non-suiteb-curves
http://osdir.com/ml/general/2016-02/msg40458.html
suggested --disable-non-suiteb-curves on systems with nettle without
secp192 and secp224 curves

However, concerns have been raised about using gnutls, which (BTW) is no longer associated with the GNU Foundation.

http://www.zdnet.com/article/gnutls-big-internal-bugs-few-real-world-problems/
(published in 2014) suggests that GnuTLS might not be the best choice in
TLS libraries, questioning some of its design limitations. Caveat emptor.
(Alternatives include OpenSSL, LibreSSL, BoringSSL, wolfSSL, mbed TLS, ...)

gnutls does not provide compatible headers to openssl, even when gnutls is configured --enable-openssl-compatibility. Combined with the above design criticisms (link), is adding support for GnuTLS still worth the effort?

I have tested lighttpd with openssl and libressl. Other implementations which supply openssl-compatible headers and interfaces are also likely to work with lighttpd with little to no extra effort.

#6

Updated by gstrauss 7 months ago

  • Status changed from Need Feedback to New

Update: mod_openssl has been separated from the rest of lighttpd since lighttpd 1.4.46.

In my development branch, personal/gstrauss/master, I ported other lighttpd use of libcrypto to use libnettle if lighttpd is built with ./configure --with-nettle

libgnutls depends on libnettle.

Creating a mod_gnutls.c is now possible as an isolated task which duplicates the functionality of mod_openssl.c, using GnuTLS instead of OpenSSL.

#7

Updated by gstrauss 4 months ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.56
  • ASK QUESTIONS IN Forums set to No
#8

Updated by gstrauss 3 months ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom