Control: tags -1 -moreinfo Hi,
New developments on the Charybdis front: a patch has been developed upstream to fix the issue, but it is pretty invasive. They have basically rewritten the whole GNUTLS backend to make it on par with the other implementations. It's a good thing: there were memory leaks and all sorts of other issues, namely one that I mentioned earlier. At the very least, we'd need to factor in this p-u a patch like this one: https://github.com/charybdis-ircd/charybdis/issues/215#issuecomment-246202759 ... to fix timeout issues in the gnutls code that crashes the ssld. But even with that, there are at least two major issues that should be fixed here: 1. Charybdis 3.4 supports only SHA-1 for certificates, which has serious security vulnerabilities. To give an unrelated example, the APT team plans to remove all SHA-1 support in their repositories next year 2. 3.4 also has several memory leaks that are fixed by the gnutls rewrite. There are three way forward here: 1. ignore the above two extra issues and simply add the patch for #215 to the pile of patches in jessie 2. import the new gnutls.c module from an eventual new 3.5 release upstream directly in jessie - this may be difficult because of internal API changes 3. import 3.5.x directly in jessie I would like to have feedback from the release team as to which approach to take forward. Thanks! A. -- Advertisers, not governments, are the primary censors of media content in the United States today. - C. Edwin Baker
