[Mono-dev] cert-sync (Mono-devel-list Digest, Vol 117, Issue 35)

Jo Shields directhex at apebox.org
Fri Jan 23 12:34:48 UTC 2015

On 22/01/15 22:26, Sebastien Pouliot wrote:
> No, not for Linux. There is (or at least was) no OS API that provided that
> service and not every distro shipped/installed-by-default any library that
> could do this.
> Sebastien

Further to this, because Linux is About Choice(tm), there are three
major SSL libraries, and several minor ones, which all use different
cert store formats.

GnuTLS is popular because of its licensing and unpopular because it's
terrible. It works on a flat folder structure of certs, e.g.

OpenSSL is popular because it works and unpopular because it's
GPL-incompatible. It works on a flat folder structure of hash-based
symlinks to certs, e.g. /etc/ssl/certs/03f0efa4.0 -> Wells_Fargo_Root_CA.pem

NSS (Netscape Security Services) is popular because of its licensing and
that it works, and unpopular because its cert store format is
ass-backwards. It works on a hard-compiled cert list, and also an SQLite
database in your home directory. This one's become popular lately
because Fedora has been trying to build the world against NSS instead of
GnuTLS or OpenSSL.

So... for Mono to integrate "properly", it needs to potentially build
against three different SSL libraries. More with the minor players like
PolarSSL included.

More information about the Mono-devel-list mailing list