On 1 February 2011 02:08, Juan Lang juan.lang@gmail.com wrote:
Sure, I can buy that. I'll note that OpenSSL is also available for the Mac, and already loaded by wininet and winhttp. It could be appropriate to move from GnuTLS to OpenSSL for schannel, so we'd only have a single implementation for both Linux and Mac in schannel.
Well, I think that regardless of what schannel ends up using, wininet and winhttp should be implemented on top schannel in the long term, instead of using OpenSSL directly. I don't think GnuTLS is really the problem though, or that the existing schannel code is particularly badly implemented. It seems to me that it's more a case of the schannel / secur32 API being somewhat unclear, even to the applications actually using it. Tests would certainly help there, but what IMO complicates writing them is that only the client part of schannel is currently implemented.
Well, it doesn't help make schannel less buggy, but it doesn't aim to. However, it does help Macs without GnuTLS (the default) go from a completely non-functional schannel to a merely buggy schannel.
I suppose that argument is also why we got the buggy (sorry, Henri) GnuTLS schannel in the first place.
Not really. IMO it's just a case of neglect. For what it's worth, at some point the plan at CodeWeavers was that Hans would do some work on schannel, but I assume msi bugs took priority there.