GnuTLS considered harmful

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun May 30 11:54:34 CEST 2010


Stephane Bortzmeyer wrote:
> As far as I know, this rant has never been discussed here:
> 
> http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
> 
> [...] I strongly recommend that GnuTLS not be used. All of its APIs
> would need to be overhauled to correct its flaws [...]

It's a rant. As far as I remember he was referring to a single function
that had an issue in gnutls and generalized it. His generalized claims
were not true back then and are not true now. His claim about the given
function was true and was fixed in later versions.

I believe he got confused by the ASN.1 library API that uses strings to
refer to positions on the PKIX1 schema, such as "PKIX1.GeneralTime". For
those fixed size strings we use string functions, and this might confuse
someone just doing grep on the code and not familiar with the api.

regards,
Nikos




More information about the Gnutls-help mailing list