[Gpg4win-devel] Gpg4win uses some gnutls for helpers (no openssl, no heardbleed)

Bernhard Reiter bernhard at intevation.de
Thu Apr 24 09:33:00 CEST 2014


Just answered a question about the use of OpenSSL in Gpg4win, at
https://wald.intevation.org/forum/forum.php?thread_id=1317&forum_id=21&group_id=11

Summary:
The end-to-end encryption of CMS and OpenPGP does not rely on an online
connection, thus there is no need for an encrypted streamed connection.

Some GnuPG helper tools can possibly make connections via SSL/TLS,
e.g. for accessing keyservers or revocation material. 
GnuPG (and Gpg4win) uses Gnutls for this. 
So no OpenSSL, no heardbleed.

Best Regards,
Bernhard

For the techies some more details:
The license of OpenSSL is not compatible with the licenses of GnuPG and 
Gpg4win, this is why gnutls is used.

There are several components in Gpg4win, e.g. from GTK+ and KDE Plattform 4.
In theory there could be some places that OpenSSL could still be linked or 
used by one of the other components, but I think it is very unlikely. 
I've looked at some binaries on Debian Wheezy for comparison and the list of 
packages needed for building Gpg4win to provide a starting point for others 
to verify my statement:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob_plain;f=packages/packages.current;hb=HEAD

On Debian GNU/Linux:
 ldd /usr/lib/dirmngr/dirmngr_ldap
 ldd /usr/lib/gnupg2/gpg2keys_hkp
(I think libcurl is used there.)

The next step of confidentiality would be to examine all binaries 
with special tools to just if functions from openssl are all absend.
(Remember, this is the techies and security engineering section,
where we are all aware that security is never perfect. :) )


-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20140424/7b3c5cd2/attachment.sig>


More information about the Gpg4win-devel mailing list