GnuTLS preferable to, and/or safer than, NSS?

Evangelos Foutras foutrelis at archlinux.org
Wed Sep 5 10:06:06 EDT 2012


On 05/09/12 16:49, Ethan Blanton wrote:
> Evangelos Foutras spake unto us the following wisdom:
>> Would it be better for users' safety to use GnuTLS for SSL support
> 
> Not to our knowledge, no.
> 
>> The reason I'm asking is a report I got today [1], which links to a
>> ticket on Pidgin's tracker [2]. This ticket points to certificate
>> verification code which has been disabled using preprocessor
>> directives. However, Pidgin appears to be doing its own verification
>> by calling purple_certificate_verify() from within
>> ssl_nss_handshake_cb().
> 
> The person who filed that ticket seems to have flown off the handle
> without really understanding the situation.  Our understanding is that
> the certificate verification using both GnuTLS and NSS is
> substantially similar.
> 
>> If someone is knowledgeable in the SSL support code, it would be
>> helpful for me to know the main advantages/disadvantages of the GnuTLS
>> vs NSS implementations in Pidgin and which one is preferable. :)
> 
> This has changed over the years, but mostly depends on the
> correctness, completeness, and stability of the GnuTLS and NSS
> libraries themselves on various distributions.  At the moment, I
> believe they are both pretty stable and usable.  I think there's a
> stream restarting bug in GnuTLS that strikes some IRC users (although
> I may have that backward), but I'm unaware of any serious flaws in
> either library.

Thank you for the information, Ethan; it is very helpful.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20120905/750e092e/attachment.pgp>


More information about the Packagers mailing list