Added CC: Marc Jones, who might be able to comment on the issue On 09/27/2015 09:41 PM, Petter Reinholdtsen wrote: > > [James Valleroy] >> We will need to switch from mod_ssl to mod_gnutls to (eventually) >> enable PGP client certificate authentication. Not all of the required >> pieces are available yet. However, I suggest we can make the switch to >> mod_gnutls now, so we can thoroughly test it integrated with the rest >> of FreedomBox. > > Is this a good idea, given the fact that openssl is getting > fundedsecurity review after the latest problems with the library, while > gnutls is not? >
I checked a bit on GnuTLS. It does not look pretty. A discussion on OpenLDAP list strongly discouraged the use of GnuTLS[1][2]. A Debian developer acknowledges that GnuTLS is only being complied against OpenLDAP in Debian despite its shortcomings only due to licensing reasons. Although active, most of the contributions seem to come from a single developer. Links: 1) http://www.openldap.org/lists/openldap-devel/200802/msg00072.html 2) http://www.zdnet.com/article/gnutls-big-internal-bugs-few-real-world-problems/ 3) https://gitlab.com/gnutls/gnutls/commits/master
signature.asc
Description: OpenPGP digital signature
