Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon May 7 02:31:21 CEST 2012

Hi GnuTLS folks--

The attached message came through oss-security recently [0], and i just
wanted to bring it to the attention of the users and developers of GnuTLS.

In particular, i wanted to take Ludwig's concern seriously here:

> Openssl in all it's
> ugliness at least provides SSL_CTX_set_default_verify_paths(). gnutls
> doesn't have an equivalent. It's utterly stupid to require each and
> every application to hard code the path to a certificate bundle.
> Defaulting to not doing any checks at all if the application programmer
> forgot to set the magic option isn't exactly clever either.

Is there a way that GnuTLS can help facilitate proper peer verification
by application (or library) developers who depend on the project?

As a baseline, are there documentation improvements we could offer, or
best practice guidelines we should be encouraging?  More aggressively,
is there some way we could consider offering a simple best-practice
certification config in the priority string, or as default behavior if
no other verification mechanism is specified?

Any thoughts?  Is there already a helpful and useful response that we
can offer to Ludwig's complaint?

All the best,


[0] http://www.openwall.com/lists/oss-security/2012/05/04/6
-------------- next part --------------
An embedded message was scrubbed...
From: Ludwig Nussel <ludwig.nussel at suse.de>
Subject: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking
 in its libsoup users
Date: Fri, 04 May 2012 13:00:45 +0200
Size: 4133
URL: </pipermail/attachments/20120506/f4887f1d/attachment.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120506/f4887f1d/attachment.pgp>

More information about the Gnutls-help mailing list