Opened 5 years ago

Closed 22 months ago

Last modified 22 months ago

#7027 closed enhancement (wontfix)

Integrate TLSlite into Gajim

Reported by: ioerror Owned by:
Priority: normal Milestone:
Component: None Version: hg
Severity: normal Keywords: security privacy tls
Cc: Blocked By:
Blocking: OS: All

Description

problem

I use TLSLite for a lot of my Python TLS related activities.

analysis

I'd like Gajim to use it when it is available; it would mean that the attack surface for Gajim with regard to native code would be even lower than it is now.

enhancement recommendation

Attempt to use TLSlite first and fall back to OpenSSL when it is unavailable.

Change History (7)

comment:1 Changed 5 years ago by asterix

what's the advantage of TLSlite over OpenSSL? is it possible to check certs with tlslite?

Patches are always welcome of course :)

comment:2 Changed 5 years ago by ioerror

The main advantage is that TLSlite is written in pure python and so it is very much in the spirit of Gajim :)

I'll look into TLSlite integration if it's something that would be of interest to you?

comment:3 Changed 5 years ago by asterix

I don't see any interest to spend some time to implement something that already work with another lib, at least for me. But if you have a working TLSlite integration, I'll include it with pleasure!

comment:4 Changed 5 years ago by ioerror

Ok - I'll put it on the TODO list. :)

comment:5 Changed 22 months ago by mcepl

I think this is exactly The Wrong Thing™ ... we should use less homebrewn crypto and more standard cryptographic libraries (OpenSSL, NSS, GnuTLS).

I would strongly vote for WONTFIX here.

comment:6 follow-up: Changed 22 months ago by asterix

  • Resolution set to wontfix
  • Status changed from new to closed

pyopenssl is now in pure python too.

comment:7 in reply to: ↑ 6 Changed 22 months ago by mcepl

Replying to asterix:

pyopenssl is now in pure python too.

That is not completely correct. pyopenssl depends on cryptography, which uses OpenSSL via libcffi. However, I still believe that this is a way better than doing cryptography algorithms on our own.

Note: See TracTickets for help on using tickets.