Is it time to abandon OpenSSL?
Lots of people are talking about the latest OpenSSL vulnerability. It’s a pretty big one..
The OpenSSL library is not exactly the easiest library to work with. It sounds like writing an application that actually uses the library instead of the “porcelain” that is provided, is incredibly difficult.
Reading the comments on HN, it sounds like it is not just one developer who has struggled with OpenSSL. I came across this comment:
Adobe’s Flash Player used OpenSSL on Linux for a long time, but eventually switched to NSS because the OpenSSL project would repeatedly break their library ABI without changing version numbers. The OpenSSL developers said that a stable ABI was a non-goal of theirs. (Disclosure: I was an engineer on Adobe’s Flash Player team.)
NSS: Network Security Services (NSS).
NSS is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Lately, I’ve seen a lot of FreeBSD ports start adding support for gnuTLS - perhaps it’s also time for people to start looking into NSS as well. Now, obviously I’m doing some serious hand-waving about the difficulty of porting from OpenSSL’s API to NSS - but if NSS has a larger community and better codebase (all of which I’m hoping it has, but have not done any research into) then I still think it should be considered.
From the linked article, it sounds like OpenSSL is really beyond salvaging. Especially if there are only two of them, as this article states.
I feel for the OpenSSL developers, all two of them, I really do. They have come under a huge amount of fire recently. I would not be surprised if they just downed tools to go live in a cabin in the woods tomorrow, out of sheer frustration and upset. When their code works, they get no thanks, when it breaks, they never hear the end of it.
Anyway, couple random thoughts.