Question about package build

Daniel Lenski dlenski at gmail.com
Sun Sep 1 12:09:10 PDT 2024 

On Sun, Sep 1, 2024 at 8:19 AM Moorko <me at moorko.net> wrote:
> I noticed that the OpenConnect package available in Linux distributions
> like Ubuntu and Fedora is built with GnuTLS rather than OpenSSL.
> Is there a specific reason for this?

Many such reasons, from my point of view…

1. Historically, OpenSSL didn't support the
pre-release/non-standardized version of DTLS used by Cisco in a
consistent or stable way (even though Cisco's own DTLS implementation
was clearly built using a specific ancient version of OpenSSL 😵‍💫).
OpenConnect's BDFL David Woodhouse had to cajole them into
intentionally supporting it, and then to add tests for it so they'd
stop breaking it over and over in new releases.
2. By contrast, GnuTLS developers have taken a personal interest in
OpenConnect. In fact, the collaboration and curiosity that resulted
from implementing Cisco's pre-release version of DTLS in GnuTLS
largely inspired the development of ocserv 😃,. See
https://nikmav.blogspot.com/2013/11/inside-ssl-vpn-protocol.html
3. The GnuTLS API is well-designed, well-documented, and has fewer
archaeological layers of legacy cruft.
4. The ocserv server is built with GnuTLS, and sometimes it's helpful
to share code and knowledge between the client and server components.

> As far as I know, OpenSSL is more flexible

I'm not sure what "flexible" means specifically. OpenSSL is a very
long-running project and contains several layers of legacy APIs that
sometimes interact in strange views.

>From my point of view as a longtime OpenConnect developer, most of the
code that deals with TLS/DTLS/ESP directly is *simpler and more
maintainable* in its GnuTLS versions than in its OpenSSL versions.
Compare https://gitlab.com/openconnect/openconnect/-/blob/master/gnutls-dtls.c
vs. https://gitlab.com/openconnect/openconnect/-/blob/master/openssl-dtls.c
for instance.

Having worked with OpenSSL quite a bit in other commercial and FLOSS
projects, I'd say that the "flexibility" of OpenSSL is more often a
liability than an asset. 🤷🏻‍♂️

> and offers better performance.

What's the source for this "better performance" claim and how does it
impact OpenConnect specifically?

Daniel

More information about the openconnect-devel mailing list