5 Oct
2003
5 Oct
'03
12:32 p.m.
<quote who="Bert Koelewijn">
Timo Sirainen wrote:
Doing this also worries me a bit. Wasn't the recent security hole in OpenSSL just in the client certificate parsing? SSL cert authentication would have to rely on OpenSSL (or GNUTLS).
OpenSSL have been audited many times, by many experts. If you trust dovecot, I think you can trust OpenSSL too.
this might be a bit off-topic but : -openssl might be audited by many experts, but this might apply to an version, but not the latest. -openssh is probably audited with the same affort as openssl. do you remember the bugs ?
for me the conclusion is every security application which is used by a large userbase (as openssl or openssh) is audited so closely that they always find some bugs.
regards, stefan