Re: [chrony-dev] Experimental NTS support |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] Experimental NTS support
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 9 Jun 2020 09:22:20 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591687360; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OLGDwjXQBHL9srNltcTFlw7jiZqkIquypeAIXXOWv20=; b=TJINyyVzg75aIzg+k0ybPqAWIK7FueJBydgANp/Gc0wWEwJgCZ9cQWpjJwIVfSjDVfa5lH a8Ggh2mGJENDTNmEjFFhtVotGyev7ZKTd2FmYI4QpxsUdV2Ighn1q7wEmd7bUqjhlUcGyn v0pIV3p7H8lU1GhvRAzkSpVtPUKUGI8=
On Tue, Jun 09, 2020 at 12:21:41AM +0200, Vincent Blut wrote:
> I must admit CVE-2020-13777 [1] has cooled me down a lot about GnuTLS.
> OpenSSL 3.0 (currently in alpha stage) will use the Apache License 2.0 which
> isn’t compatible with the GPLv2. Sigh, what a mess!
>
> [1] https://gitlab.com/gnutls/gnutls/-/issues/1011
If I understand it correctly (and I don't really know much about TLS),
chrony is not impacted as it doesn't support resuming TLS sessions. In
the context of NTS that doesn't look like a useful feature.
Even if there wasn't the licensing issue, I'm not sure if we would
be better off with openssl.
Have a look at their CVE lists:
https://gnutls.org/security-new.html
https://www.openssl.org/news/vulnerabilities.html
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.