GnuTLS preferable to, and/or safer than, NSS?
Evangelos Foutras
foutrelis at archlinux.org
Wed Sep 5 10:06:06 EDT 2012
On 05/09/12 16:49, Ethan Blanton wrote:
> Evangelos Foutras spake unto us the following wisdom:
>> Would it be better for users' safety to use GnuTLS for SSL support
>
> Not to our knowledge, no.
>
>> The reason I'm asking is a report I got today [1], which links to a
>> ticket on Pidgin's tracker [2]. This ticket points to certificate
>> verification code which has been disabled using preprocessor
>> directives. However, Pidgin appears to be doing its own verification
>> by calling purple_certificate_verify() from within
>> ssl_nss_handshake_cb().
>
> The person who filed that ticket seems to have flown off the handle
> without really understanding the situation. Our understanding is that
> the certificate verification using both GnuTLS and NSS is
> substantially similar.
>
>> If someone is knowledgeable in the SSL support code, it would be
>> helpful for me to know the main advantages/disadvantages of the GnuTLS
>> vs NSS implementations in Pidgin and which one is preferable. :)
>
> This has changed over the years, but mostly depends on the
> correctness, completeness, and stability of the GnuTLS and NSS
> libraries themselves on various distributions. At the moment, I
> believe they are both pretty stable and usable. I think there's a
> stream restarting bug in GnuTLS that strikes some IRC users (although
> I may have that backward), but I'm unaware of any serious flaws in
> either library.
Thank you for the information, Ethan; it is very helpful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20120905/750e092e/attachment.pgp>
More information about the Packagers
mailing list