Re: [Gap-dev-discuss] Quick solution for the Pantomime OpenSSL issue

[Riccardo Mottola]

Hi Yavor,

Yavor Doganov wrote:
> I am proposing a patch that makes Pantomime use the built-in GnuTLS
> support in GNUstep Base as a temporary solution for the licensing
> issue.  It is a complete replacement (and even enhancement) of the
> existing OpenSSL implementation.  I'm not pleased with it for reasons
> explained below but as the Debian freeze is approaching quickly I have
> to do something to keep GNUMail/LuserNET in the next stable release.
Sorry for the long delay replying, I kept this message maturing in my inbox.

Thanks for looking at and nice to know that it works. For now thing, for 
many reasons you mentioned below, especially diverging from Mac and 
movin a bit in the untested field, make s me prefer to keep this patch 
out of the official tree. You may apply it separately to get pantomime 
in the gnumail repository, but prehaps we can find another or better 
solution.
I did not test it on the mac yet, mind you.

I have seen that debian has an gnutls openssl compatibility package: 
maybe that is enough for our purpose?
And libressl?

Riccardo
> Good things:
>
> * It is binary compatible.  The patch is also fairly trivial -- so
>    simple and straightforward that I am a bit amazed that it works.
>
> * All the job is done by Base via GSTLSHandle (or GSSSLHandle) so
>    there is zero maintenance cost (compared to a fully-fledged GnuTLS
>    implementation that has to track/adapt to changes in the library).
>
> * I like the idea of delegating the job to something as fundamental as
>    GNUstep Base.  This means that Pantomime doesn't have to link with
>    GnuTLS at all, and the patch *should* work with Base built with
>    --disable-tls --enable-openssl (i.e., with the OpenSSL bundle).
>
> * There is a certain degree of flexibility as the behavior can be
>    controlled via the standardized (by Base) environment variables
>    GS_TLS_* and the GSTLS* user defaults.  For example, you can change
>    the default GnuTLS priority, or enforce certificate verification.
>    This is not possible with Pantomime as it is now.
>
> Bad things:
>
> * AFAICS from the Apple documentation this functionality is not
>    available on MacOS X.  If I understand the Base build system
>    correctly the NSFileHandle enhancements are not available even as
>    GNUstep Additions.  That's why I call it a "temporary" solution.
>
> * I had to resort to using private methods (-read:length: and
>    -write:length:).  Not sure if it is possible at all to use only the
>    public API; more likely I'm being way too dumb and missing something
>    obvious.  Help here would be greatly appreciated.
>
> * The handshake timeout is hardcoded by Base (30 s) and not the
>    default timeout that Pantomime sets (60 s).  Admittedly, this is a
>    minor issue.
>
> * If you want to extend the Pantomime API to provide "proper" support
>    it is almost certain that GSTLS won't be sufficient.  For example,
>    it would be nice if GNUMail displayed the invalid certificate and
>    allowed the user to inspect it and eventually add an exception.  Or
>    to provide better error handling so that apps can display good and
>    descriptive error messages.  Another reason why this patch can be
>    treated as a temporary solution only.
>
> * It won't work with older GNUstep Base releases as the GSTLS stuff
>    was added fairly recently.  Not sure how important is this given
>    that GNUMail from SVN trunk can't be built with Base 1.22.
>
> Comments welcome.