Hi Simon, On Wed, Jan 14, 2009 at 03:03:32PM +0100, Simon Josefsson wrote:
> > However, after putting that string into TLS_CIPHER_SUITE > Your mistake is that you assume that OpenLDAP passes the > TLS_CIPHER_SUITE string to GnuTLS' priority string functions. Alas, it > doesn't. Thus, your problem is a feature request really, for OpenLDAP > to support GnuTLS priority strings. > A proper fix requires co-ordination with the OpenLDAP people. Either > they 1) remove all strange code for parsing ciphers for GnuTLS and only > use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) > they introduce a new configuration keyword TLS_PRIORITY that is is sent > to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts > OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS > priority strings, so I would recommend 1). And improve the > documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS > manual in the OpenLDAP documentation. Hmm, does this mean Debian bug #464625 is fixed? The syntax you're describing certainly includes a lot more overlap with OpenSSL syntax than what I recall from the last time this came up, but perhaps the compatibility isn't good enough that we would want to revert the changes from bug #462588 if openldap were patched to call gnutls_priority_set_direct()? I would have been happy to pursue this sooner if I had known this might be an option, but bug #464625 has seen no activity since May. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
