Security News > 2020 > June > GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin

GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.

The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls session ticket key generate().

The bug, introduced in GnuTLS 3.6.4, was fixed in GnuTLS 3.6.14.

Ayer has been critical of GnuTLS in the past, referring to it as a "Clownish" TLS implementation in a blog post about the expiration of Sectigo's AddTrust legacy root certificate, which affected GnuTLS. Others echoed his disdain for GnuTLS, with some arguing for its removal as a dependency.

"Never use GnuTLS," quipped Thomas H. Ptacek, a security researcher and founder of Matasano Security.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/06/10/gnutls_patches_security_hole/