help-gnutls
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS considered harmful


From: Simon Josefsson
Subject: Re: GnuTLS considered harmful
Date: Mon, 31 May 2010 20:37:02 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

Stephane Bortzmeyer <address@hidden> writes:

> As far as I know, this rant has never been discussed here:
>
> http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
>
> [...] I strongly recommend that GnuTLS not be used. All of its APIs
> would need to be overhauled to correct its flaws [...]

The gnutls_x509_crt_set_subject_alt_name function has been added which
can handle binary structures like packed IP addresses.  Non-domain SANs
doesn't seem to be widely used though; I haven't been able to get a IP
address SAN through any commercial CA.  From a systems perspective, I'm
not sure the complexity introduced by this outweigh the benefit, but
hey, at least we now support it.

I have no idea what other APIs he is referring to -- all relevant APIs
should take opaque buffer pointers plus buffer size.

I also have no idea what APIs he think is problematic wrt strlen/strcat.
I would expect that if strlen is used on binary data things would break
quickly and we'd notice.

Essentially, we have corrected the substantial part, and we'd be happy
to improve anything else if the rant is converted into a substantial
report about missing or incorrect functionality.

/Simon



reply via email to

[Prev in Thread] Current Thread [Next in Thread]