RFC: Adding Mac support to secur32/schannel.c

Juan Lang juan.lang at gmail.com
Wed Feb 2 11:46:39 CST 2011

Hi Damjan,

> OpenSSL seems like a bad idea. It has poor binary compatibility and
> problematic FIPS 140 certification, and Fedora is dropping it in favour of
> NSS:
> http://fedoraproject.org/wiki/FedoraCryptoConsolidation
> http://fedoraproject.org/wiki/CryptoConsolidationEval

Maybe, but OpenSSL is a requirement for wininet and winhttp right now.
 For Fedora's proposed crypto consolidation, they're also proposing
building a compatibility layer for OpenSSL on top of NSS, so it's
possible that Wine's uses of OpenSSL could use these, too.  But this
is essentially hypothetical.

As Henri noted, wininet and winhttp should be layered on top of
schannel.  This is a requirement to fix a couple of bugs in at least
wininet (though I'm less sure about winhttp).  It has the added
advantage of consolidating an SSL implementation in Wine into one
place.  Then, if platform-dependent SSL libraries are required, either
to support Fedora and other Linux distributions that have divided
opinions about SSL implementations, or to use Mac's Secure Transport
libraries on that platform, they would only have to be done in one

> OpenSSL isn't part of the LSB (while NSS is), so if we ever want to make a
> Wine LSB package, it might be a good idea to get OpenSSL out of Wine
> entirely. See also the August 2008 wine-devel thread about this:
> http://www.winehq.org/pipermail/wine-devel/2008-August/068575.html

Since that thread, where I stated that new code based on OpenSSL
wasn't likely to get accepted, an OpenSSL dependency was added to
winhttp.  Apparently I was mistaken.


More information about the wine-devel mailing list