74 lines
2.9 KiB
Markdown
74 lines
2.9 KiB
Markdown
---
|
|
created_at: '2014-03-05T15:35:11.000Z'
|
|
title: GnuTLS considered harmful (2008)
|
|
url: http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
|
|
author: calpaterson
|
|
points: 167
|
|
story_text: ''
|
|
comment_text:
|
|
num_comments: 116
|
|
story_id:
|
|
story_title:
|
|
story_url:
|
|
parent_id:
|
|
created_at_i: 1394033711
|
|
_tags:
|
|
- story
|
|
- author_calpaterson
|
|
- story_7347500
|
|
objectID: '7347500'
|
|
year: 2008
|
|
|
|
---
|
|
[Source](http://www.openldap.org/lists/openldap-devel/200802/msg00072.html "Permalink to GnuTLS considered harmful")
|
|
|
|
# GnuTLS considered harmful
|
|
|
|
* * *
|
|
|
|
[[Date Prev][1]][[Date Next][2]] [[Chronological]][3] [[Thread]][4] [[Top]][5]
|
|
|
|
# GnuTLS considered harmful
|
|
|
|
* * *
|
|
* **To**: **OpenLDAP Devel <[openldap-devel@openldap.org][6]>**
|
|
* **Subject**: **GnuTLS considered harmful**
|
|
* **From**: **Howard Chu <[hyc@symas.com][7]>**
|
|
* Date: Sat, 16 Feb 2008 13:12:31 -0800
|
|
* User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre
|
|
* * *
|
|
|
|
`The recent trouble in ITS#5361 prompted me to look into the GnuTLS code a little deeper. It turns out that their corresponding set_subject_alt_name() API only takes a char * pointer as input, without a corresponding length. As such, this API will only work for string-form alternative names, and will typically break with IP addresses and other alternatives.`
|
|
|
|
`Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.`
|
|
|
|
`I strongly recommend that GnuTLS not be used. All of its APIs would need to be overhauled to correct its flaws and it's clear that the developers there are too naive and inexperienced to even understand that it's broken.
|
|
\--
|
|
\-- Howard Chu
|
|
Chief Architect, Symas Corp. <http://www.symas.com>
|
|
Director, Highland Sun <http://highlandsun.com/hyc/>
|
|
Chief Architect, OpenLDAP <http://www.openldap.org/project/>`
|
|
|
|
|
|
* * *
|
|
* **Follow-Ups**:
|
|
* [**Re: GnuTLS considered harmful][2]**
|
|
* _From:_ "Gavin Henry" <ghenry@suretecsystems.com>
|
|
* [**Re: GnuTLS considered harmful][8]**
|
|
* _From:_ Albert Chin <openldap-devel@mlists.thewrittenword.com>
|
|
* Prev by Date: [**Re: RE23 testing][1]**
|
|
* Next by Date: [**Re: GnuTLS considered harmful][2]**
|
|
* Index(es):
|
|
* [**Chronological**][3]
|
|
* [**Thread**][4]
|
|
|
|
[1]: http://www.openldap.org/msg00071.html
|
|
[2]: http://www.openldap.org/msg00073.html
|
|
[3]: http://www.openldap.org/index.html#00072
|
|
[4]: http://www.openldap.org/threads.html#00072
|
|
[5]: http://www.openldap.org/lists/openldap-devel
|
|
[6]: mailto:openldap-devel%40openldap.org
|
|
[7]: mailto:hyc%40symas.com
|
|
[8]: http://www.openldap.org/msg00092.html
|
|
|