[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7367) [PATCH] MozNSS: update list of supported cipher suites

> This is completely the wrong approach. There is no way you should be
> putting
> hardcoded constants in libldap that are tied to specific MozNSS
> versions. The
> MozNSS library needs to provide a cipher enumerator API.

Let me quote OpenLDAP documentation:

| When using Mozilla NSS, the OpenSSL cipher suite specifications are
| used and translated into the format used internally by Mozilla NSS.

And FAQ page about Mozilla NSS in OpenLDAP:

| OpenLDAP can use Mozilla NSS as the TLS/SSL implementation. If you
| previously used OpenLDAP with OpenSSL, and have certificate files,
| cipher suites, and other TLS settings specified in your configuration
| files, those settings should work exactly the same way with Mozilla
| NSS - OpenLDAP with Mozilla NSS knows how to read those settings,
| files, etc. and apply them in the same way. The goal is that you
| will not be able to tell you are using OpenLDAP with Mozilla NSS
| because it will work exactly the same as OpenLDAP with OpenSSL.

Which means that if we decided at some point to make the MozNSS layer
compatible with OpenSSL, we have to keep up with it now.

Of course, cipher suite enumeration in MozNSS is possible. But
translation from OpenSSL names without the translation table would be
very messy. I still think this is a better solution.

> There were 11 MozNSS patches in 2.4.32. Looks like 5 more waiting for
> review
> here, plus 2 already committed for 2.4.33. We will not accept patches
> that
> require constant revisiting every time NSS updates. This is too much.
> No more.

I'm sending one patch per change. And looking at the patches, I do not
think I'm introducing new bugs. It's mostly a fixes for issues present
in the code before I started sending my first patches. And be sure that
I'm testing the TLS heavily before submitting anything.

I do not understand why you strictly refuse anything which comes from
Fedora or Red Hat. We decided to use MozNSS and you can disagree. We
still want to fix the problems with that backend to use it without any
pain. Sorry, I really do not feel like your feedback is constructive.