Due to security issues with OpenSSL, I would like to use NSS or GnuTLS instead. For Apache server needs, it is easy since there exist a module for each one. But for SSH, it looks like difficult if not impossible.
Dropbear embeds its own algorithms and is not open to the outside. OpenSSH has used to being built with OpenSSL, but since a few months, it is possible to build it without it thanks to the new option:
make OPENSSL=no
But then software cryptographic algorithms are used from D. J. Bernstein works. This is good, but not for me because I shall use a TPM, and so have access to a pkcs11 layer. As a consequence, the right solution would be to build OpenSSH with either NSS or GnuTLS.
I cannot wait for LibReSSL on Linux, nor use OpenBSD which has just released it and made it its SSL default layer.
So my question is: Has someone tryed and managed to build OpenSSH with NSS or GnuTLS instead of OpenSSL, or patched Dropbear or any other solution to have a SSH server working with a TPM and EC authentication ?
Note: as I have limited resources, I cannot use OpenSSL with OpenSSH and NSS with Apache. I absolutely need to minimize the embedded libraries.
I have identified three solutions: