Bug#446036: exim4: please compile against openssl instead of gnutls

Sam Morris sam at robots.org.uk
Sat May 30 13:39:08 BST 2020 

I can't speak for whether GnuTLS' historical interoperability issues
are still a problem.

I think it is worth noting that OpenSSL 3.0 is available under the
Apache License v2. As such it should now be compatible with GPL'd
software excepting that which is GPLv2-only.

I would like to refer to the blog post "Crytographic Right Answers" <
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
>, which makes the following recommendation regarding web site security
(I am generalizing this to apply to TLS in general, yes):

   Use AWS ALB/ELB or OpenSSL, with LetsEncrypt

   [...]

   Otherwise, there was a dark period between 2010 and 2016 where
   OpenSSL might not have been the right answer, but that time has
   passed. OpenSSL has gotten better, and, more importantly, OpenSSL is
   on-the-ball with vulnerability disclosure and response.

   Using anything besides OpenSSL will drastically complicate your
   system for little, no, or even negative security benefit. So just
   keep it simple.

   [...]

   Avoid: offbeat TLS libraries like PolarSSL, GnuTLS, and MatrixSSL.

OpenSSL is also recommended by previous 'cryptographic right answers' 
posts from others over the years (Tomas Ptacek in 2015 and Colin
Percival in 2009). On the other hand, Latacora opens with:

   We’re less interested in empowering developers and a lot more
   pessimistic about the prospects of getting this stuff right.

Which does indicate bias towards secure secure and correct
implementations over user freedom (after all, they recommend paying
Amazon to do to TLS termination for you rather than even trying to do
it yourself with OpenSSL!)

In 2020, I think it's worth revisiting whether sticking with GnuTLS is
the best choice for Debian's users. Perhaps OpenSSL's relicensing makes
the political reason to stay with GnuTLS less important (I'll of course
defer to the opinions of the maintainers here!)

Anyway, if the maintainers would reconsider switching to OpenSSL once
3.0 enters Debian then I'd like to help!

-- 
Sam Morris <https://robots.org.uk/>

More information about the Pkg-exim4-maintainers mailing list