[gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Dec 28 15:34:18 CET 2013

On Sat, 2013-12-28 at 14:55 +0100, Andreas Metzler wrote:
> Hello,

> Apart from the licensing issue it is imho more than a little bit ugly
> that software using libgnutls-dane links against both GnuTLS and
> OpenSSL.
> Checking unbound's ./configure I see that it could also be built
> against NSS instead of OpenSSL. This would get rid of the OpenSSL
> license problem, but still any libgnutls-dane user would depend on not
> only one, but two of the three major TLS toolkits.

Hello Andreas,
 I understand that and this was the reason libgnutls-dane was made a
separate library. On my part I don't think there is much I can do.
Libunbound is the only dnssec library I could find, so switching to
another isn't (currently) an option. 

At the time adding this support I thought that having support for DANE
was more important than linking and dependency issues.

> [1] I am aware that there are divided opinions on this subject. e.g.
> Fedora uses the system library exeption clause for OpenSSL.
> <https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F>
> But e.g. Debian has always tried to not ship GPL software linked
> against OpenSSL and although this might change would not count on it.

I understand Debian's approach but I cannot think of anything I could do
in gnutls-dane to solve that. While I'd be happy to drop unbound and use
another library for dnssec resolving, I know of no other alternatives.


More information about the Gnutls-devel mailing list