[Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS

Simon Josefsson simon at josefsson.org
Fri May 4 14:18:18 CEST 2007


Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:

> On Thu 2007-05-03 15:38:35 -0400, Simon Josefsson wrote:
>
>> Right, I think we should mention this.  There is no equivalent feature
>> in GnuTLS yet, but I'm working on PKCS#11 support to address one aspect
>> of this (client smart card authentication) and made the first release a
>> few days ago.
>
> i'd be interested in reviewing this, if you've got test cases that
> need it.  Sorry that i missed the initial announcement.  i use an
> eGate smartcard for daily (hooked in via opensc and openct) via PAM
> and openssh [0], and i've got a spare device i could test with.
>
> Can you point me towards something to test?

Neat!  It would be very useful to have more testers with other smart
card devices.  See the gnutls-dev list, and the recent p11-branch
announcement:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/1976
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/1923

Right now, loading trusted CAs via the Scute PKCS#11 provider works.

If you can point to a PKCS#11 provider for your card, I can see if I can
make GnuTLS support linking to it -- I probably can't test it myself
though.

>> Btw, I'd like to add other free TLS libraries to the list.  That's
>> why I made the implementations have one row each in the tables,
>> rather than having the implementations be one column each.  This
>> allows the list of implementations to be added easily, without
>> clobbering the page too much.
>
> these might be worth including:
>
> http://yassl.com/
> http://www.matrixssl.org/
>
> (and soliciting feedback from their developers would be a good thing
> for the page, too)

Yup.  I'll update the comparison page with all input next week or so.

/Simon





More information about the Gnutls-help mailing list