[Date Prev][Date Next]
Re: (ITS#7367) [PATCH] MozNSS: update list of supported cipher suites
On 10/03/2012 10:18 AM, Howard Chu wrote:
> Thanks for your comments, Rich.
> firstname.lastname@example.org wrote:
>>> On Tuesday 02 of October 2012 14:18:49, email@example.com wrote:
>>>> Back to this point - surely OpenLDAP libldap is not the only piece of
>>>> software that expects to use OpenSSL-style cipher suite names.
>>>> libldap is
>>>> certainly not the best place to put this translation.
>>> I'm not sure about that. We tried to go a "compatible" way with
>>> don't know about other projects. I will take a look.
>> This is the nss_compat_ossl library approach, which attempts to make
>> moznss look as much like openssl as possible to applications. I thought
>> about trying to use that with openldap a few years ago when we first
>> started looking at having openldap support moznss, but Howard had
>> already done a great deal of work to make the tls code "pluggable" with
>> tls2.c and tls_m.c, which takes the approach of using the moznss code
>> directly rather than indirectly through another layer . This has been
>> the preferred approach of the Red Hat and Fedora teams that were
>> attempting to replace openssl with moznss. nss_compat_ossl has not been
>> actively worked on for a couple of years, and would require many changes
>> to support multi-init, multiple key/cert databases, and other fixes that
>> have gone into tls_m.c.
>> I suppose we could try to get some sort of openssl cipher name support
>> directly in upstream moznss, but they would probably assert that it
>> doesn't belong there either.
>> Maybe we could use nss_compat_ossl to do the mapping of cipher names
>> from openssl to moznss?
> That makes sense to me, although if as you say it hasn't been actively
> maintained, that sounds like another problem. But certainly if other
> apps are using it, then aren't they going to want new cipher suite
> support too?
Yes, and imho nss_compat_ossl is the place to do this.
But, would it be possible to update the cipher suite list in tls_m.c
first, to bring it up to date, then work on updating the compat library?