Project

General

Profile

Actions

Feature #4243

closed

Replacing NSS with OpenSSL

Added by Michael Tremer almost 4 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Hello,

I would like to know if there is a change that we can migrate suricata from using NSS to OpenSSL. I tried to research why NSS was chosen, but could not find anything on the old mailing list or on here.

Therefore, I would like to ask if OpenSSL would be a suitable replacement. I personally favour it, because OpenSSL has been massively improved since the last big security incidents and is the default library in most Linux distributions and usually performs better in benchmarks compared to others. It is very portable and runs on many architectures and operating systems, which should not limit anyone from using suricata where they like to.

My biggest pain point is that in IPFire we do not use NSS, and I would like to avoid another crypto library. We already have too many and since this is a sensitive part of the software stack, it would simply be better to already use what we have - and on top might be technologically slightly superior. Many other projects (cURL, Chrome, ...) seem to migrate away from NSS to OpenSSL, too.

So, in short, is it possible to migrate or are there any reasons against that I have missed?

Actions

Also available in: Atom PDF