[Pkg-openldap-devel] Bug#541256: TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1
Howard Chu
hyc at openldap.org
Thu Aug 13 18:15:48 UTC 2009
> A change in behavior because OpenLDAP has switched to using a different
> parser for cipher suites than what was in place previously isn't "broken
> behavior on GnuTLS' part".
Steve: the fact that the behavior changed isn't "broken"; the fact that the
behavior is so completely different from the official GnuTLS documentation *is*.
> Your continuous maligning of GnuTLS in Debian
> bug reports is unhelpful; we cannot ship libldap linked against OpenSSL for
> license reasons, so reminding us how much you disapprove of GnuTLS isn't
> going to change anything - aside from discouraging me from spending time on
> bug mail for the openldap package.
As software and security professionals, we cannot in good conscience stand
mute on the subject. The quality of the code in GnuTLS is obviously low, the
risk of security vulnerabilities is high, and the cost in maintenance is only
going up. Whether you want to hear it or not, we are obligated to state for
the record that using GnuTLS is a bad idea, because that's the objective truth.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Pkg-openldap-devel
mailing list