On 09/27/2015 02:14 PM, Petter Reinholdtsen wrote: > [Sunil Mohan] >> I checked a bit on GnuTLS. It does not look pretty. A discussion on >> OpenLDAP list strongly discouraged the use of GnuTLS[1][2]. A Debian >> developer acknowledges that GnuTLS is only being complied against >> OpenLDAP in Debian despite its shortcomings only due to licensing >> reasons. >> >> Although active, most of the contributions seem to come from a single >> developer. > > As the license issue is not going away, I suspect a good approach is to > help the GnuTLS project instad of leaving it behind. But we should know > about the issue, and take an informed decition. > > My experience with the GnuTLS developers is that they are knowledgable > and friendly, and that the claim from Howard Chu about them being "too > naive and inexperienced to even understand that it's broken" is wrong. > But they lack time to do what they want with the library. :) > > Given the state described in > <URL: http://www.openldap.org/lists/openldap-devel/200802/msg00076.html >, > and which is still the current state of copyright law as far as I know, > we will have to use gnutls in Freedombox no matter what we use with the > web browser. >
I would agree Petter. Besides the licensing issues with OpenSSL, GnuTLS and mod_gnutls, I believe, are unique in providing support for the PGP Web of Trust for client certificate verification. Which is the only reason I have been pushing for a switch to mod_gnutls. In terms of the security of GnuTLS, I am sure that OpenSSL is going to get more scrutiny of any SSL library, but It also looks like GnuTLS and mod_gnu_tls are getting a lot more attention as of late. Last year GnuTLS had over 25 people contribute.[1] And this year we saw mod_gnutls get a new maintainer that is much more active. In terms of the OpenLDAP developer's concerns from 2008, it seems it has been addressed by the primary GnuTLS developer on more then one occasion. Nikos, the main gnutls developer, specifically addressed it in 2010 [2] on the gnutls mailing list. He also discusses it in a 2011 blog post.[3] Apparently, at least according to Nikos, the OpenLDAP developer was right about finding a bug in one function, but the openldap developer was wrong to generalize it to the entire library. GnuTLS has apparently addressed the 2008 issue. It's too bad the OpenLDAP mailing list post is referenced in a recent ZDnet article that shows up on the first page of a DuckDuckGo search for GnuTLS [4] because it will give new life to that dead bug. Considering Nikos was still discussing the bug three years after it was brought to his attention though, the fact that an article was talking about it 7 years later might not surprise him. It looks like GnuTLS has a bit of a zombie bug on it's hands, no matter how many times they kill it, people think it keeps coming back to life. -Marc [1] http://nmav.gnutls.org/2014/12/a-quick-overview-of-gnutls-development.html [2] http://lists.gnu.org/archive/html/help-gnutls/2010-05/msg00018.html [3] http://nmav.gnutls.org/2011/05/is-really-gnutls-considered-harmful.html [4] http://www.zdnet.com/article/gnutls-big-internal-bugs-few-real-world-problems/ -- Marc Jones Counsel Software Freedom Law Center 1995 Broadway, 17th Floor New York, NY 10023 Tel: 212-461-1919 Fax: 212-580-0898 Email: mjo...@softwarefreedom.org www.softwarefreedom.org
0xAC9364C7.asc
Description: application/pgp-keys
