Steve Langasek <vor...@debian.org> writes: > Hi Simon, > > On Wed, Jan 14, 2009 at 03:03:32PM +0100, Simon Josefsson wrote: > >> > However, after putting that string into TLS_CIPHER_SUITE > >> Your mistake is that you assume that OpenLDAP passes the >> TLS_CIPHER_SUITE string to GnuTLS' priority string functions. Alas, it >> doesn't. Thus, your problem is a feature request really, for OpenLDAP >> to support GnuTLS priority strings. > >> A proper fix requires co-ordination with the OpenLDAP people. Either >> they 1) remove all strange code for parsing ciphers for GnuTLS and only >> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) >> they introduce a new configuration keyword TLS_PRIORITY that is is sent >> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts >> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS >> priority strings, so I would recommend 1). And improve the >> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS >> manual in the OpenLDAP documentation. > > Hmm, does this mean Debian bug #464625 is fixed?
Alas, no. The syntax is still different. > The syntax you're describing certainly includes a lot more overlap > with OpenSSL syntax than what I recall from the last time this came > up, but perhaps the compatibility isn't good enough that we would want > to revert the changes from bug #462588 if openldap were patched to > call gnutls_priority_set_direct()? That bug seems to fix several issues, so I'm not sure what you refer to. > I would have been happy to pursue this sooner if I had known this might be > an option, but bug #464625 has seen no activity since May. To avoid configuration file compatibility, maybe there should be a new keyword GNUTLS_CIPHER_SUITE instead that is documented to only be for gnutls priority strings, and let TLS_CIPHER_SUITE be documented for only OpenSSL strings. If openldap is linked with GnuTLS, it would refuse to start if TLS_CIPHER_SUITE is defined, and vice versa. But maybe this just complicates the issue further.. I guess the simplest is to let TLS_CIPHER_SUITE result in calling gnutls_priority_* on the string, and document that the syntax of that configuration keyword depends on whether you use GnuTLS or OpenSSL. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
