[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5887) Fix GnuTLS support for TLS_CIPHER_SUITE

--On Wednesday, January 14, 2009 7:29 PM +0000 hyc@symas.com wrote:

> quanah@OpenLDAP.org wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.4.13
>> OS: NA
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346
>> Summary from Simon Josefsson:
>> A proper fix requires co-ordination with the OpenLDAP people.  Either
>> they 1) remove all strange code for parsing ciphers for GnuTLS and only
>> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
>> they introduce a new configuration keyword TLS_PRIORITY that is is sent
>> to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
>> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
>> priority strings, so I would recommend 1).  And improve the
>> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
>> manual in the OpenLDAP documentation.
> Sounds like we should do (1). There was no such API in GnuTLS when our
> support  was written, which is why we had to go to the trouble of parsing
> the cipher  suites ourselves. I'm fine with ripping that all out, if
> someone will tell us  what minimum version of GnuTLS provides the new API.




Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration