Maintained by: NLnet Labs

nettle support? (was: Re: Unbound 1.5.7 release)

W.C.A. Wijngaards
Tue Jun 28 08:55:02 CEST 2016


Hi Robert,

On 27/06/16 18:12, Robert Edmonds via Unbound-users wrote:
> W.C.A. Wijngaards via Unbound-users wrote:
>> - Fix #594. libunbound: optionally use libnettle for crypto.
>>   Contributed by Luca Bruno.  Added --with-nettle for use with
>>   --with-libunbound-only.
> 
> Hi,
> 
> I've received a request to enable this by default in the Debian package
> of libunbound:
> 
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828699
> 
>     Currently, GnuTLS cannot be compiled with DANE support as that would
>     require linking against libunbound2; that is unsuitable since
>     libunbound2 links against OpenSSL.  As of unbound 1.5.7, compiling
>     against libnettle is supported for libunbound2.  Doing so would allow
>     GnuTLS (and other GPL-licensed software) to make use of libunbound2.
>     Could you please do so?
> 
> Before I do that, I'd like to determine if the nettle support is
> considered production ready, and if so will it be supported long term?
> Is there any reason to prefer the current OpenSSL crypto implementation
> in Unbound, other than it existing longer?

It works fine, but --with-libunbound-only means the unbound daemon (and
unbound-checkconf tools) do not get compiled.  So, probably unsuitable
for the general-purpose package, where people expect the unbound daemon
to get installed.

The reason the daemon does not compile is that nettle (and libnss, the
other crypto library option), have such different ways to handle SSL (or
rather, TLS) connections.

Best regards, Wouter

> 
> Thanks!
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160628/7808bca2/attachment.sig>