> Also, because it relies on session tickets, there's a time window after which the ticket gets cycled and properly initialized. But that is apparently 6 hours by default so it is going to protect only really long-lasting TLS sessions, which are uncommon, I would argue.
I'm the author of the Tweet which this paragraph links to. The author of this blog post is misinterpreting the problem. It's not the session ticket which is rotated after 6 hours, but the session ticket encryption key (STEK). This has nothing to do with the length of the TLS session, but rather the lifetime of the process using GnuTLS. For the first 6 hours, connections made to the GnuTLS server are vulnerable. After the process has been running for 6 hours, new connections are safe (assuming there's no other GnuTLS vulnerability). This reduces the impact of the vulnerability considerably (although it's still really bad).
> It is likely that people don't have OpenSSL in mind when they suggest moving away from GnuTLS
OpenSSL isn't perfect but it has improved considerably since Heartbleed and has the resources (funding and competent people) that a crypto project needs.
Please note that the next version of OpenSSL (version 3) will be licensed under the Apache 2.0 license [1], making it incompatible with GPL v2 libraries and applications [2].
GPL v2 applications will be stuck with OpenSSL 1.x (or GnuTLS or other libs).
To be clear, it will be incompatible with GPLv2-only software. Projects which use the default GPLv2 license notice will be able to link with OpenSSL 3 without problem, since the notice permits the software to be re-licensed under newer versions of the GPL.
Also note that the old OpenSSL license was incompatible with both GPLv2 and GPLv3 (unless the project provided an exception for OpenSSL). So OpenSSL 3's license change increases compatibility with GPL software.
I'm the author of the Tweet which this paragraph links to. The author of this blog post is misinterpreting the problem. It's not the session ticket which is rotated after 6 hours, but the session ticket encryption key (STEK). This has nothing to do with the length of the TLS session, but rather the lifetime of the process using GnuTLS. For the first 6 hours, connections made to the GnuTLS server are vulnerable. After the process has been running for 6 hours, new connections are safe (assuming there's no other GnuTLS vulnerability). This reduces the impact of the vulnerability considerably (although it's still really bad).
> It is likely that people don't have OpenSSL in mind when they suggest moving away from GnuTLS
No, OpenSSL is exactly what we have in mind, including Filippo: https://twitter.com/FiloSottile/status/1270130358634283008
OpenSSL isn't perfect but it has improved considerably since Heartbleed and has the resources (funding and competent people) that a crypto project needs.