Mandos + CentOS 6
Nathanael d. Noblet
nathanael at gnat.ca
Sat Apr 5 21:49:24 CEST 2014
On Sat, 2014-04-05 at 04:19 +0200, Teddy Hogeborn wrote:
> > Any thoughts on how to proceed? Are there alternate implementations of
> > the communication protocols you're using? OpenSSL or something like
> > that that could be compiled against instead of gnutls (as an optional
> > configure argument or something? )
>
> As far as I know, OpenSSL can not use OpenPGP keys, and at the time I
> investigated, GnuTLS was the only TLS library to support it. I also
> seem to recall that OpenSSL has a problematic license which precludes us
> From using it.
>
> In *theory* it would be possible to run two Mandos servers with one
> using one version of GnuTLS and the other another one. Clients should
> discover, and try, both of them. But I am not sure how using two
> separate versions of GnuTLS would even work.
>
> This would not help users of --connect, though. We might implement an
> option where multiple servers can be specified, if the above problem
> with multiple GnuTLS versions could be solved.
So out of curiosity - why opengpg certificates + TLS? I realize the
transport protocol is encrypted and then you pass the password encrypted
via pgp, which the client has the key to decode. However I'm wondering -
why not simply use standard SSL/TLS website certificates to protect the
communication channels, and hand the client the encrypted password to
decode?
More information about the Mandos-Dev
mailing list