Re: (ITS#7877) please make gcrypt optional with newer gnutls

[hyc@symas.com]

ryan@nardis.ca wrote:
> On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu <hyc@symas.com> wrote:
>> The only reason GnuTLS support exists in OpenLDAP is because of Debian.
>> Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that
>> crap out.
>
> Sounds good to me. So a patch that removes gcrypt entirely looks like:
>
> ftp://ftp.openldap.org/incoming/20140630_rtandy_0001-ITS-7877-use-nettle-instead-of-gcrypt.patch
>
> (I assume the explicit threading setup is important, if not maybe the
> gnutls_global_set_mutex part could be removed too...)
>
> That requires gnutls 2.12.0 or newer, so then I think we can also
> remove the compatibility code for older versions:
>
> ftp://ftp.openldap.org/incoming/20140630_rtandy_0002-assume-gnutls-provides-cipher-suites.patch
> ftp://ftp.openldap.org/incoming/20140630_rtandy_0003-assume-gnutls-is-at-least-2.12.0.patch
>
>> Just tell us at which version of GnuTLS you switched to nettle and we'll make
>> that the minimum supported version.
>
> Debian builds gnutls with nettle starting from 3.0.0. The API used in
> tls_g.c is all backend agnostic though. I tried with 2.12.20 (with
> gcrypt backend) and everything looks fine in slapd and clients
> including the threading setup. I think 2.12.0 as minimum version would
> be fine, and then nettle vs gcrypt only matters for smbk5pwd users.
>
> Thanks for considering my patches.

Committed to master. I've also added a check for 2.12.0 to the configure script.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/