Critical GnuTLS bug ... - openldap-technical

Howard Chu

4 Mar 2014 4 Mar '14

11:40 a.m.

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hun...

Perhaps folks will take us more seriously the next time we say "don't use GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Show replies by date

Erwann Abalea

4 Mar 4 Mar

12:50 p.m.

While I disagreed with you on some PKI-related topics, I fully agree with you on that specific one. GnuTLS is bad.

(back reading that new triple handshake TLS attack)

2014-03-04 20:40 GMT+01:00 Howard Chu hyc@symas.com:

...

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux- hundreds-of-apps-open-to-eavesdropping/

Perhaps folks will take us more seriously the next time we say "don't use GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/ msg00072.html

-- Erwann.

Michael Ströder

1:32 p.m.

Howard Chu wrote:

...

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hun...

Perhaps folks will take us more seriously the next time we say "don't use GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

While I personally also prefer OpenSSL over GnUTLS it's not fair to blame developers if they publish a security issue themselves.

One never knows which issues are in other preferred software packages which the developers are not honest enough to talk about.

Ciao, Michael.

Howard Chu

1:44 p.m.

Michael Ströder wrote:

...

Howard Chu wrote:

...
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hun...

Perhaps folks will take us more seriously the next time we say "don't use GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

While I personally also prefer OpenSSL over GnUTLS it's not fair to blame developers if they publish a security issue themselves.

This issue was found by a RedHat audit, not by the GnuTLS developers.

The same underlying problem remains - the GnuTLS developers didn't know the first thing about X.509 certificates. They pointedly ignored (or were simply too inexperienced to even understand) the issues that were identified. And apparently, they still haven't learned, after all this time.

...

One never knows which issues are in other preferred software packages which the developers are not honest enough to talk about.

Ciao, Michael.

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3706

Age (days ago)

3706

Last active (days ago)

openldap-technical@openldap.org

3 comments

3 participants

tags (0)

participants (3)

Erwann Abalea
Howard Chu
Michael Ströder