[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5887) Fix GnuTLS support for TLS_CIPHER_SUITE



quanah@OpenLDAP.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.13
> OS: NA
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (75.111.29.239)
>
>
> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346
>
> Summary from Simon Josefsson:
>
> A proper fix requires co-ordination with the OpenLDAP people.  Either
> they 1) remove all strange code for parsing ciphers for GnuTLS and only
> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
> they introduce a new configuration keyword TLS_PRIORITY that is is sent
> to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
> priority strings, so I would recommend 1).  And improve the
> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
> manual in the OpenLDAP documentation.

Sounds like we should do (1). There was no such API in GnuTLS when our support 
was written, which is why we had to go to the trouble of parsing the cipher 
suites ourselves. I'm fine with ripping that all out, if someone will tell us 
what minimum version of GnuTLS provides the new API.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/