Re: Waking the dead: LibSoup and NSS

[Dan Winship <danw gnome org>]

On 08/04/2010 12:00 PM, Christian Hilberg wrote:
> The GnuTLS docs indicate that PKCS #11 support might still be experimental

There have been patches floating around for years, but AFAIK there has
only been support in the gnutls mainline for about 2 weeks now. :-)

> This all being said, I'd like to get to know about the current status of 
> LibSoup regarding support for being built with libnss (latest information I 
> found dates back from 2008).

The plan is to add TLS support to GSocket in gio
(https://bugzilla.gnome.org/show_bug.cgi?id=588189), with support for
client-side certificates and PKCS#11, and pluggable gnutls and NSS
backends, and then port libsoup to use that (which is part of
https://bugzilla.gnome.org/show_bug.cgi?id=591739).

The current state of the glib TLS work can be found at
git://github.com/danwinship/glib.git, tls branch, but it's incomplete
and still a work in progress. The tls-nss branch has the start of an NSS
backend, but at this point it's mostly just a cut+paste of the gnutls
backend, without even fully renaming everything yet. Meanwhile, the
tls-cert and tls-ioadapter branches have the beginnings of various
in-progress simplifications to the API... (You can also see some work
towards making libsoup use the new branch at
git://github.com/danwinship/libsoup.git, gio-based branch, but I think
that's out-of-date wrt the current glib tls branch API.)

Anyway, if you wanted to hack on getting things working on the tls-nss
branch (against the current APIs there, ignoring the
rewrites-in-progress), that would be extremely useful. It's likely that
finishing up NSS support is going to require some changes to the public
APIs to work with NSS's unique worldview (eg, the central certificate
db, etc).

-- Dan