I've scanned the list and the website and I might have missed a design doc
somewhere, but as far as I can tell I can't find any motivational reason
for why Go implemented its own SSL library.
Ordinarily, if the author of Go's SSL library wasn't someone of AGL's
caliber, I would have written off another implementation of SSL as just
plain crazy. It's hard to get crypto right, and OpenSSL or GnuTLS have been
tested and hardened, hopefully with most bugs worked out. However, since
AGL is also a contributor to OpenSSL directly, I can't help but wonder why
Go decided to re-invent the wheel here.
The only two things I can think of as possible pros are that perhaps the Go
authors wanted the Go standard library to be all written in Go, or that
maybe an existing library was hard to get to work with the event loop? The
first argument is poor since there's already a lot of native code that's
not Go in the standard library and OpenSSL is super portable. I can't
really say much toward the second argument. Even more speculative and crazy
(and something I wouldn't have considered at all until Snowden) is that
maybe Google knows something we don't about the OpenSSL codebase but isn't
allowed to say? Nah.
On the flip side, Go's reimplementation has caused some serious headaches (
https://code.google.com/p/go/issues/detail?id=5987 is one example, I can't
find the other ticket I have in mind at the moment, something about what
certificates in the chain Go chooses to present to the peer), raises
security questions (yet another codebase to vet and verify), and perhaps
most selfishly, none of my OpenSSL hardware acceleration modules work with
Go at all (cryptodev or AF_ALG support plz?).
I've had a few people show serious surprise and concern when I mention Go
uses its own crypto library.
So, yeah, given all that, having not seen any discussion of this before,
why? I assume there's good reasons.
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
For more options, visit https://groups.google.com/groups/opt_out.