<quote who="Howard Chu"> > The recent trouble in ITS#5361 prompted me to look into the GnuTLS code a > little deeper. It turns out that their corresponding > set_subject_alt_name() > API only takes a char * pointer as input, without a corresponding length. > As > such, this API will only work for string-form alternative names, and will > typically break with IP addresses and other alternatives. > > Looking across more of their APIs, I see that the code makes liberal use > of > strlen and strcat, when it needs to be using counted-length data blobs > everywhere. In short, the code is fundamentally broken; most of its > external > and internal APIs are incapable of passing binary data without mangling > it. > The code is completely unsafe for handling binary data, and yet the nature > of > TLS processing is almost entirely dependent on secure handling of binary > data. > > I strongly recommend that GnuTLS not be used. All of its APIs would need > to be > overhauled to correct its flaws and it's clear that the developers there > are > too naive and inexperienced to even understand that it's broken.
So that means OpenLDAP on Debian is still not recommended if you don't compile your own OpenSSL and OpenLDAP.
