[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7367) [PATCH] MozNSS: update list of supported cipher suites

Thanks for your comments, Rich.

richm@stanfordalumni.org wrote:
>> On Tuesday 02 of October 2012 14:18:49, hyc@symas.com wrote:
>>> Back to this point - surely OpenLDAP libldap is not the only piece of
>>> software  that expects to use OpenSSL-style cipher suite names. libldap is
>>> certainly not the best place to put this translation.
>> I'm not sure about that. We tried to go a "compatible" way with OpenLDAP,
>> don't know about other projects. I will take a look.
> This is the nss_compat_ossl library approach, which attempts to make
> moznss look as much like openssl as possible to applications.  I thought
> about trying to use that with openldap a few years ago when we first
> started looking at having openldap support moznss, but Howard had
> already done a great deal of work to make the tls code "pluggable" with
> tls2.c and tls_m.c, which takes the approach of using the moznss code
> directly rather than indirectly through another layer .  This has been
> the preferred approach of the Red Hat and Fedora teams that were
> attempting to replace openssl with moznss.  nss_compat_ossl has not been
> actively worked on for a couple of years, and would require many changes
> to support multi-init, multiple key/cert databases, and other fixes that
> have gone into tls_m.c.
> I suppose we could try to get some sort of openssl cipher name support
> directly in upstream moznss, but they would probably assert that it
> doesn't belong there either.
> Maybe we could use nss_compat_ossl to do the mapping of cipher names
> from openssl to moznss?

That makes sense to me, although if as you say it hasn't been actively 
maintained, that sounds like another problem. But certainly if other apps are 
using it, then aren't they going to want new cipher suite support too?

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/