[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GnuTLS considered harmful

To: Simon Josefsson <simon@josefsson.org>
Subject: Re: GnuTLS considered harmful
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 27 Feb 2008 15:05:01 +0100
Cc: OpenLDAP Devel <openldap-devel@openldap.org>
In-reply-to: <87mypmr61c.fsf@mocca.josefsson.org>
References: <47B751BF.8010103@symas.com> <87lk57zo2h.fsf@mocca.josefsson.org> <47C51ECB.1000100@symas.com> <87mypmr61c.fsf@mocca.josefsson.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080201 SeaMonkey/1.1.8

Simon,

I know *very* little about C programming but...

Simon Josefsson wrote:


I don't think it is unreasonable for a SAN related API to work with
zero-terminated strings.  The typical SAN's like dNSName, rfc822Name,
and uniformResourceIdentifier are human readable strings.  Most
applications will work with the strings in zero-terminated form.

...having implemented a cert parser in Python I'd like to emphasize that the attitude of "Most applications will work" is for me a real show-stopper for deploying GnuTLS especially regarding possible security issues.

In my project experience I saw so many PKI-enabled software packages crashing while handling even perfectly valid certificates (not to speak of mal-formed certs issued by some commercial CAs).

Ciao, Michael.

Follow-Ups:
- Re: GnuTLS considered harmful
  - From: Simon Josefsson <simon@josefsson.org>

References:
- GnuTLS considered harmful
  - From: Howard Chu <hyc@symas.com>
- Re: GnuTLS considered harmful
  - From: Howard Chu <hyc@symas.com>
- Re: GnuTLS considered harmful
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: GnuTLS considered harmful
Next by Date: Re: GnuTLS considered harmful
Index(es):
- Chronological
- Thread