Peter Nixon wrote:
Sounds fine to me. Maybe we should also in future invesitgate using axtls in place of openssl. Not only is it an order of magnitude smaller which is great for embedded systems, it is also BSD licensed.
FWIW in Fedora we're trying to consolodate all of the crypto usage in our distribution so that it uses NSS (Network Security Services), http://www.mozilla.org/projects/security/pki/nss. We're doing this by incrementally porting applications using OpenSSL or GNU TLS to NSS. We're doing this for a few reasons, to reduce the attack surface by having only a single crypto library which is well vetted, because NSS is FIPS-140 certified (a government requirement), because NSS has a lot more features (e.g. smart cards, integration with an entire PKI ecosystem (e.g. the open source certificate management system DogTag, http://pki.fedoraproject.org/wiki/PKI_Main_Page), and to eliminate the obnoxious licensing issues with OpenSSL). FreeRADIUS is on our list of applications to be ported to NSS. At the moment the only thing holding that back is the lack of time (I'm the mostly likely person to perform the port and I don't have any space cycles at the moment). If anybody else has some extra cycles to help port FreeRADIUS to NSS please let me know, your help would be greatly appreciated! Alan has told me in the past he is in favor of having a NSS port. -- John Dennis <jdennis@redhat.com>