Re: [exim] GnuTLS vs OpenSSL

Góra strony
Delete this message
Reply to this message
Autor: Andreas Metzler
Data:  
Dla: exim-users
Temat: Re: [exim] GnuTLS vs OpenSSL
On 2021-09-18 Sabahattin Gucukoglu via Exim-users <exim-users@???> wrote:
> Debian always builds Exim against GnuTLS, in its “heavy” variation,
> but I’ve always resisted by building against OpenSSL (and,
> incidentally, taken the time to tweak it for me). On the face of it
> that’s fine, except …


> Is there really a good reason? I do it chiefly because I like
> OpenSSL’s cipher selection (I want very permissive, ordered by
> @STRENGTH, and TLS 1.3 would be nice). There were also horror stories
> about RNG entropy starvation caused by GnuTLS.


> It’s tedious. I don’t put compilers on my server, and I don’t much
> enjoy setting up a build environment just to compile Exim against
> stable libraries and headers. It also makes upgrading much harder.

[...]

Hello,

imho exim linked against GnuTLS is perfectly adequate for a quiet
personal server. I have been using it for ages. FWIW I also do not
fiddle with TLS cipher selection on my server. GnuTLS defaults are
supposed to be sane, and its author know a lot more about encryption
than I do.

Debian links exim against GnuTLS mainly for historic reasons. OpenSSL's
license (pre 3.0.0) is gpl incompatible and at the point in time we
looked at it some of the libraries we wanted to link (indirectly)
against were GPL without OpenSSL-exception.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'