Comment 2 for bug 1905790
Revision history for this message
| Marco Trevisan (TreviƱo) (3v1n0) wrote Re: Recompile SSSD in 20.04 using OpenSSL (instead of NSS) support | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
> Are you sure about this? TLS has a wide variety of protocol options and the supported vs.
> "available" cryptosystem matrix is complex. Won't these all change if the underlying
> implementation changes?
Well, I focused mostly in the PKCS#11 changes, but for all its internal crypto operations SSSD had for some long time now [1] started supporting OpenSSL, replaced as default [2] and finally dropped [3] NSS at all and the two crypto backends have been used as feature-parity alternatives.
Probably not enough to compare, but from what I see in these matrices [4], there's basically nothing that NSS supports and OpenSSL doesn't (while it's true the other way around).
Not to mention that we already switched to an OpenSSL-based version of SSSD in 21.10, and even if its user base can't be compared to 20.04, so far I didn't read about related issues [5].
That said, if the SRU team would feel more confident in only having the p11_child to be built with OpenSSL, it should be technically possible, of course not as easy (and probably safer and more future-proof) as switching completely.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/