[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7877) please make gcrypt optional with newer gnutls

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7877) please make gcrypt optional with newer gnutls
From: ryan@nardis.ca
Date: Mon, 30 Jun 2014 21:52:12 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu <hyc@symas.com> wrote:
> The only reason GnuTLS support exists in OpenLDAP is because of Debian.
> Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that
> crap out.

Sounds good to me. So a patch that removes gcrypt entirely looks like:

ftp://ftp.openldap.org/incoming/20140630_rtandy_0001-ITS-7877-use-nettle-instead-of-gcrypt.patch

(I assume the explicit threading setup is important, if not maybe the
gnutls_global_set_mutex part could be removed too...)

That requires gnutls 2.12.0 or newer, so then I think we can also
remove the compatibility code for older versions:

ftp://ftp.openldap.org/incoming/20140630_rtandy_0002-assume-gnutls-provides-cipher-suites.patch
ftp://ftp.openldap.org/incoming/20140630_rtandy_0003-assume-gnutls-is-at-least-2.12.0.patch

> Just tell us at which version of GnuTLS you switched to nettle and we'll make
> that the minimum supported version.

Debian builds gnutls with nettle starting from 3.0.0. The API used in
tls_g.c is all backend agnostic though. I tried with 2.12.20 (with
gcrypt backend) and everything looks fine in slapd and clients
including the threading setup. I think 2.12.0 as minimum version would
be fine, and then nettle vs gcrypt only matters for smbk5pwd users.

Thanks for considering my patches.

Prev by Date: Re: (ITS#7877) please make gcrypt optional with newer gnutls
Index(es):
- Chronological
- Thread