Hello Peter, Am 02.02.2016 um 06:59 schrieb peter green: > On 01/02/16 07:45, Carsten Schoenert wrote: >> Can you give us a suggestion how to handle this issues? I've seen a >> similar solution like mine on the samba package upstream [5]. The zarafa >> suite isn't using this parts of the libvmime package as they connect >> locally to localhost. But the we have to provide a secure libvmime >> package. >> > I'm not one of the gnutls maintainers but IMO you should only override > the defaults set by your tls library if you have good reason AND you are > prepared to maintain your modifications over the long term to take > account of changing best practice.
I fully agree with you! But as written earlier, I'm also no security expert on cryptographic and I haven't done any special code review on the gnutls part of libvmime and I'm happy to get feedback from you and the GnuTLS Maintainers. > The non-default settings in this package were clearly not being > maintained. Hmm, I haven't taken a look in the current working parts of libvmime so I can't say if it's not maintained, but consider, we are talking about code and a release from 2010 and the code base we talking about is five years old and there is nothing like security support by the vmime developers! It's some kind of ridiculous that upstream hasn't released a new version since the 0.9.1 release related to what happens in the past two years. But we (the Zarafa packaging Team) have a reverse dependency on that library so we have to fix this issues. I also fully agree with the rest of your email and I'm happy to let libvmime use the default settings from the GnuTLS library. If this is done by gnutls_set_default_priority() as written by Andreas this is fine. We need finally a test scenario there we can check the settings that are used if I use the libvmime settings. Even better would be if upstream would releasing a upstream version to get rid of special workarounds. -- Regards Carsten Schoenert
