[Dovecot] SSL Client Certificate Support

Stefan Sels stefan at sels.com
Sun Oct 5 13:32:14 EEST 2003


<quote who="Bert Koelewijn">
> Timo Sirainen wrote:
>> Doing this also worries me a bit. Wasn't the recent security hole in
>> OpenSSL just in the client certificate parsing? SSL cert authentication
>> would have to rely on OpenSSL (or GNUTLS).
>
> OpenSSL have been audited many times, by many experts. If you trust
> dovecot, I think you can trust OpenSSL too.

this might be a bit off-topic but :
-openssl might be audited by many experts, but this might apply to an
version, but not the latest.
-openssh is probably audited with the same affort as openssl. do you
remember the bugs ?

for me the conclusion is every security application  which is used by a
large userbase (as openssl or openssh) is audited so closely that they
always find some bugs.

regards,
  stefan


More information about the dovecot mailing list