Using GnuTLS rather than OpenSSL

Roger Dingledine arma at mit.edu
Fri May 7 13:27:33 UTC 2010


On Fri, May 07, 2010 at 12:06:16PM +0200, Linus Nordberg wrote:
> In a discussion about memory consumption (buffers) with Roger and Jake,
> the question of GnuTLS as an alternative to OpenSSL came up.

Check out src/common/crypto.[ch] and src/common/tortls.[ch]

Once upon a time these were good clean abstractions over openssl, meaning
they are the only files that need to change if you switch from openssl
to some other crypto lib.

I say 'once upon a time' because I just looked over them again and they
sure seem to have grown messier since they started. :(

> One of the things mentioned was the purported lack of support for
> ephemeral Diffie-Hellman in GnuTLS.  Since we have its current
> maintainer (and, I think, main developer) at arm's reach here I think we
> should take the opportunity of meeting with him and discuss this before
> Roger leaves Stockholm.
> 
> I don't know what Tor needs so I couldn't really judge whether existing
> functionality would suffice:

Sounds good. I vaguely recall that in the early 2000s it was missing
server-side EDH. That could have been the Netscape crypto lib that I'm
thinking of though. Nick did those investigations and they are likely
now lost in the depths of time (plus hopefully obsolete).

--Roger



More information about the tor-dev mailing list