<quote who="Bert Koelewijn"> > Timo Sirainen wrote: >> Doing this also worries me a bit. Wasn't the recent security hole in >> OpenSSL just in the client certificate parsing? SSL cert authentication >> would have to rely on OpenSSL (or GNUTLS). > > OpenSSL have been audited many times, by many experts. If you trust > dovecot, I think you can trust OpenSSL too.
this might be a bit off-topic but : -openssl might be audited by many experts, but this might apply to an version, but not the latest. -openssh is probably audited with the same affort as openssl. do you remember the bugs ?
for me the conclusion is every security application which is used by a large userbase (as openssl or openssh) is audited so closely that they always find some bugs.
regards, stefan