On 19/04/14 05:48 AM, Andreas Metzler wrote:
Hello,
Hi Andreas, thanks for starting the conversation about this!
given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be
possible to switch openldap over to the newer version of gnutls.
Upstream's 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 lets the Debian
package build successfully (including testsuite).
And TLS with a server certificate seems to work, as does SASL EXTERNAL
authentication with a client certificate. Good!
However even with patch there is still some work to be done.
libraries/libldap/tls_g.c has some gcrypt related code that should be
simply unnecessary with gnutls3, therefore it should not link against
libgcrypt either.
I see two remaining gcrypt calls in tls_g.c.
161: gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
It sounds like nettle itself doesn't need such callbacks, but even so I
suspect this should be replaced with a gnutls_global_set_mutex call in
order to keep using the internal threading abstraction, as per the
gnutls NEWS.
174: gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile ))
And for that, it looks like nettle uses a hard-coded list of possible
locations for that socket, so I guess there's no replacement call. Well,
the manpage already says the randfile option doesn't work under gnutls,
I guess this will make it true again. :)
(Except for contrib/slapd-modules/smbk5pwd/smbk5pwd.c).
Right, that one actually uses gcrypt, it's not just there for gnutls.
I'll have a look later at how much work porting that will be, and I'll
send this information upstream too.
thanks,
Ryan
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
