W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Mandatory TLS == OpenSSL everywhere? !?!

From: Geoff Beier <geoff@redhoundsoftware.com>
Date: Thu, 14 Nov 2013 20:04:09 -0500
Message-ID: <52857309.1080205@redhoundsoftware.com>
To: Adrien de Croy <adrien@qbik.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>


Adrien de Croy wrote:

> Does this mean, that if we made TLS mandatory, that effectively we would
> be placing the security of the web in the hands of the OpenSSL
> contributors. I think it effectively does.

libcurl, a popular http library, can use 9 different TLS libraries.

They publish a nice comparison chart here:

http://curl.haxx.se/docs/ssl-compared.html

I do suspect that most people who use libcurl for http support use 
whichever TLS library is available in their development environment by 
default, which will be OpenSSL or Secure Channel for the vast majority.

Geoff
Received on Friday, 15 November 2013 01:04:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC