[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5887) Fix GnuTLS support for TLS_CIPHER_SUITE



Full_Name: Quanah Gibson-Mount
Version: 2.4.13
OS: NA
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.29.239)


See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346

Summary from Simon Josefsson:

A proper fix requires co-ordination with the OpenLDAP people.  Either
they 1) remove all strange code for parsing ciphers for GnuTLS and only
use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
they introduce a new configuration keyword TLS_PRIORITY that is is sent
to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
priority strings, so I would recommend 1).  And improve the
documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
manual in the OpenLDAP documentation.

/Simon