According to some reports you'd think the security sky was falling. Yes, GnuTLS, an open-source "secure" communications library that implements \Secure-Socket Layer (SSL) and Transport Layer Security (TLS), has serious flaws. The good news? Almost no one uses it. OpenSSL has long been everyone's favorite open-source security library of choice.
You see, GnuTLS has long been regarded as being a poor SSL/TLS security library. A 2008 message on the OpenLDAP mailing list had "GnuTLS considered harmful" as its subject — which summed it up nicely.
In it, Howard Chu, chief architect for the OpenLDAP, the open-source implementation of the Lightweight Directory Access Protocol (LDAP), wrote, "In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data. I strongly recommend that GnuTLS not be used. All of its APIs would need to be overhauled to correct its flaws and it's clear that the developers there are too naive and inexperienced to even understand that it's broken."
Now, make no mistake about it these are all important programs but none of them are used for financial transfers or other situations where a man-in-the-middle attack is likely to cause significant damage. In short, while the code's a real mess, it's highly unlikely anyone in danger of losing credit-card numbers to it. The Apple iOS and Mac OS X goto problem was much more serious.
To sum up, no one should be using GnuTLS. There are far better security programs out there starting with the far more popular OpenSSL. If for some reason you must use GnuTLS for now, either upgrade to the latest GnuTLS version (3.2.12) or apply the GnuTLS 2.12.x patch. Oh, and developers? Start weaning your programs from GnuTLS, you, and your users, will be glad you did.