[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7367) [PATCH] MozNSS: update list of supported cipher suites



On 10/03/2012 10:18 AM, Howard Chu wrote:
> Thanks for your comments, Rich.
>
> richm@stanfordalumni.org wrote:
>>> On Tuesday 02 of October 2012 14:18:49, hyc@symas.com wrote:
>>>> Back to this point - surely OpenLDAP libldap is not the only piece of
>>>> software  that expects to use OpenSSL-style cipher suite names. 
>>>> libldap is
>>>> certainly not the best place to put this translation.
>>> I'm not sure about that. We tried to go a "compatible" way with 
>>> OpenLDAP,
>>> don't know about other projects. I will take a look.
>> This is the nss_compat_ossl library approach, which attempts to make
>> moznss look as much like openssl as possible to applications.  I thought
>> about trying to use that with openldap a few years ago when we first
>> started looking at having openldap support moznss, but Howard had
>> already done a great deal of work to make the tls code "pluggable" with
>> tls2.c and tls_m.c, which takes the approach of using the moznss code
>> directly rather than indirectly through another layer .  This has been
>> the preferred approach of the Red Hat and Fedora teams that were
>> attempting to replace openssl with moznss.  nss_compat_ossl has not been
>> actively worked on for a couple of years, and would require many changes
>> to support multi-init, multiple key/cert databases, and other fixes that
>> have gone into tls_m.c.
>>
>> I suppose we could try to get some sort of openssl cipher name support
>> directly in upstream moznss, but they would probably assert that it
>> doesn't belong there either.
>>
>> Maybe we could use nss_compat_ossl to do the mapping of cipher names
>> from openssl to moznss?
>
> That makes sense to me, although if as you say it hasn't been actively 
> maintained, that sounds like another problem. But certainly if other 
> apps are using it, then aren't they going to want new cipher suite 
> support too?
>
Yes, and imho nss_compat_ossl is the place to do this.

But, would it be possible to update the cipher suite list in tls_m.c 
first, to bring it up to date, then work on updating the compat library?