[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5887) Fix GnuTLS support for TLS_CIPHER_SUITE

Quanah Gibson-Mount <quanah@zimbra.com> writes:

> --On Wednesday, January 14, 2009 7:29 PM +0000 hyc@symas.com wrote:
>> quanah@OpenLDAP.org wrote:
>>> Full_Name: Quanah Gibson-Mount
>>> Version: 2.4.13
>>> OS: NA
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (
>>> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346
>>> Summary from Simon Josefsson:
>>> A proper fix requires co-ordination with the OpenLDAP people.  Either
>>> they 1) remove all strange code for parsing ciphers for GnuTLS and only
>>> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
>>> they introduce a new configuration keyword TLS_PRIORITY that is is sent
>>> to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
>>> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
>>> priority strings, so I would recommend 1).  And improve the
>>> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
>>> manual in the OpenLDAP documentation.
>> Sounds like we should do (1). There was no such API in GnuTLS when our
>> support  was written, which is why we had to go to the trouble of parsing
>> the cipher  suites ourselves. I'm fine with ripping that all out, if
>> someone will tell us  what minimum version of GnuTLS provides the new API.
> Simon?

The APIs were released as stable for v2.2.0 on 2007-12-14.  Perhaps you
could have an autoconf test for gnutls_priority_set_direct and only
enable the new code conditionally.