Michael Ströder wrote:
Howard Chu wrote:
> Perhaps folks will take us more seriously the next time we say "don't use
> GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
While I personally also prefer OpenSSL over GnUTLS it's not fair to blame
developers if they publish a security issue themselves.
This issue was found by a RedHat audit, not by the GnuTLS developers.
The same underlying problem remains - the GnuTLS developers didn't know the
first thing about X.509 certificates. They pointedly ignored (or were simply
too inexperienced to even understand) the issues that were identified. And
apparently, they still haven't learned, after all this time.
One never knows which issues are in other preferred software packages
the developers are not honest enough to talk about.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/