Hacker News new | past | comments | ask | show | jobs | submit login

PolarSSL and MatrixSSL definitely seem far off the beaten path, but many projects use GnuTLS (both as one of the more well-known non-OpenSSL codebases and because it has a GPL-compatible license). I'd be interested to know if you're concerned about it in particular.



There was a GnuTLS vulnerability introduced in 2000 was discovered in 2014 due to an audit. To summarize there was a refactoring that had no accompanying test coverage that had the effect of inverting a check.

Bugs happen to everyone, but the process that led to this one is really concerning. (OpenSSL certainly has bad process too but as the GP mentions, more people are hammering on it.)

This blog post has more (including an LWN article about it):

http://gehrcke.de/2014/03/gnutls-vulnerability-is-unit-testi...


Every security library has had vulnerabilities, and I'd be more concerned about libraries that don't (since it implies nobody is looking). Does GnuTLS seem significantly more prone to vulnerabilities than other implementations?


I would flag use of GnuTLS in an audit. Sev:lo.


What would you recommend that isn't derived from the OpenSSL codebase, for C projects that can't use OpenSSL for license reasons?

Your recommendation for TLS elsewhere in the thread was:

> You should use BoringSLL, LibreSSL, Go crypto/tls, or OpenSSL, in roughly that order.

Three of those are based on OpenSSL, and Go crypto/tls presumably only works with Go.


Porting to Windows and using schannel.

Sorry.


Guess I'll be sticking to GnuTLS then, if there's no better option available for GPLed projects to use.


Another option is wolfSSL (https://wolfssl.com/wolfSSL/Home.html) which is GPL-compatible, but also has a commercial license option. They have an OpenSSL compatibility layer, but are not a derivative of OpenSSL.

My experience with their software has been very positive, and they have avoided the majority of recent insecurities. Plus they have great support for anyone working on open source projects.


I think GnuTLS beat OpenSSL in introducing TLS 1.1 and 1.2 support.


First to the races doesn't necessarily mean quality.


But given Heartbleed, OpenSSL CCS, etc...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: