On Tue, Jun 09, 2020 at 12:21:41AM +0200, Vincent Blut wrote: > I must admit CVE-2020-13777 [1] has cooled me down a lot about GnuTLS. > OpenSSL 3.0 (currently in alpha stage) will use the Apache License 2.0 which > isn’t compatible with the GPLv2. Sigh, what a mess! > > [1] https://gitlab.com/gnutls/gnutls/-/issues/1011
If I understand it correctly (and I don't really know much about TLS), chrony is not impacted as it doesn't support resuming TLS sessions. In the context of NTS that doesn't look like a useful feature. Even if there wasn't the licensing issue, I'm not sure if we would be better off with openssl. Have a look at their CVE lists: https://gnutls.org/security-new.html https://www.openssl.org/news/vulnerabilities.html -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
