Full_Name: Quanah Gibson-Mount Version: 2.4.13 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239) See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346 Summary from Simon Josefsson: A proper fix requires co-ordination with the OpenLDAP people. Either they 1) remove all strange code for parsing ciphers for GnuTLS and only use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) they introduce a new configuration keyword TLS_PRIORITY that is is sent to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS priority strings, so I would recommend 1). And improve the documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS manual in the OpenLDAP documentation. /Simon
quanah@OpenLDAP.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.13 > OS: NA > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.111.29.239) > > > See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346 > > Summary from Simon Josefsson: > > A proper fix requires co-ordination with the OpenLDAP people. Either > they 1) remove all strange code for parsing ciphers for GnuTLS and only > use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) > they introduce a new configuration keyword TLS_PRIORITY that is is sent > to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts > OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS > priority strings, so I would recommend 1). And improve the > documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS > manual in the OpenLDAP documentation. Sounds like we should do (1). There was no such API in GnuTLS when our support was written, which is why we had to go to the trouble of parsing the cipher suites ourselves. I'm fine with ripping that all out, if someone will tell us what minimum version of GnuTLS provides the new API. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Wednesday, January 14, 2009 7:29 PM +0000 hyc@symas.com wrote: > quanah@OpenLDAP.org wrote: >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.13 >> OS: NA >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (75.111.29.239) >> >> >> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346 >> >> Summary from Simon Josefsson: >> >> A proper fix requires co-ordination with the OpenLDAP people. Either >> they 1) remove all strange code for parsing ciphers for GnuTLS and only >> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) >> they introduce a new configuration keyword TLS_PRIORITY that is is sent >> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts >> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS >> priority strings, so I would recommend 1). And improve the >> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS >> manual in the OpenLDAP documentation. > > Sounds like we should do (1). There was no such API in GnuTLS when our > support was written, which is why we had to go to the trouble of parsing > the cipher suites ourselves. I'm fine with ripping that all out, if > someone will tell us what minimum version of GnuTLS provides the new API. Simon? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount <quanah@zimbra.com> writes: > --On Wednesday, January 14, 2009 7:29 PM +0000 hyc@symas.com wrote: > >> quanah@OpenLDAP.org wrote: >>> Full_Name: Quanah Gibson-Mount >>> Version: 2.4.13 >>> OS: NA >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (75.111.29.239) >>> >>> >>> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346 >>> >>> Summary from Simon Josefsson: >>> >>> A proper fix requires co-ordination with the OpenLDAP people. Either >>> they 1) remove all strange code for parsing ciphers for GnuTLS and only >>> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) >>> they introduce a new configuration keyword TLS_PRIORITY that is is sent >>> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts >>> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS >>> priority strings, so I would recommend 1). And improve the >>> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS >>> manual in the OpenLDAP documentation. >> >> Sounds like we should do (1). There was no such API in GnuTLS when our >> support was written, which is why we had to go to the trouble of parsing >> the cipher suites ourselves. I'm fine with ripping that all out, if >> someone will tell us what minimum version of GnuTLS provides the new API. > > Simon? The APIs were released as stable for v2.2.0 on 2007-12-14. Perhaps you could have an autoconf test for gnutls_priority_set_direct and only enable the new code conditionally. /Simon
changed notes changed state Open to Test moved from Incoming to Software Enhancements
changed notes changed state Test to Release
changed notes changed state Release to Closed
added in HEAD added in RE24