[Date Prev][Date Next] [Chronological] [Thread] [Top]

Patch for GNU TLS Support


  Attached is a patch which adds support for GNU TLS in place of
  OpenSSL for transport encryption.  It was written by Steve Langasek
  and the copyright for it is included in the patch (LGPL).  By using
  this patch Debian will now be able to distribute TLS-enabled OpenLDAP
  libraries and GPL programs which use them.  This means TLS-enabled
  OpenLDAP libraries and servers will be included by default in the next
  Debian release and in Debian's 'testing' archive.

  (Patch not included due to making message too long for this list, you 
  can find it here: http://snowman.net/openldap-gnutls2.patch )
      *  SASL external with TLS certificates for TLS authentication
         is not supported yet (see below).  
      *  GNU TLS does not support a 'trace' option.
      *  GNU TLS is currently set as 'preferred' if both GNU TLS and
         OpenSSL are available.  This can be easily changed.
      *  install-sh was added since configure generated with autoconf
         2.57 complained about it missing.
      *  This patch was made against 2.1.17 but will apply almost
         cleanly against 2.1.21 and has been tested with both.

  This patch has been tested and works in all configurations:
    GNU TLS client -> GNU TLS server
    GNU TLS client -> OpenSSL server
    OpenSSL client -> GNU TLS server
    OpenSSL client -> OpenSSL server (previously supported)

  This patch has not been tested under heavy load yet.  We would
  appriciate feedback from anyone who has the opportunity to do such

  We feel this patch is ready for inclusion into OpenLDAP with the
  caveat that people using it should be aware that support was newly
  added and so there is higher probability of bugs until more exposure
  and testing is done.  We would be happy to file an ITS for inclusion
  of this patch if this list feels it will be included.

  Below is more detailed information about the patch:
  The patch adds the files:
    headers for the internal GNUTLS/OpenSSL wrapper

    Compatibility wrapper for calling GNU TLS with the OpenSSL API

    Added because configure complained about it being missing after
    running autoconf && autoheaders (autoconf version 2.57-5).

  The patch modifies the files:
    Add gnutls option with appropriate header checks, if GNU TLS is
    available it will be used in preference to OpenSSL.  This can be
    easily changed to make OpenSSL the preference, of course.

    Add gnutls.c and gnutls.lo to the appropriate variables so that
    gnutls support is compiled.

    Add Stub function: disable this for now, there's a lot of conversion
    code that needs to be written to make this work with GNUTLS (OIDs,
    etc). (Function is: ldap_X509dn2bv).  Note: This means that SASL
    external with TLS certificates for TLS authentication will not work
    when using GNU TLS.  We hope that someone who uses this will be
    willing to add the support for this.

    Add the appropriate include for the gnutls headers.  Move OpenSSL
    specific prototypes and functions into #ifndef HAVE_GNUTLS_GNUTLS_H
    blocks.  Note: GNU TLS does not support a 'trace' option.  GNU TLS
    also does not support SSL version 2.  This also adds sections to
    certain functions for GNU TLS support where necessary.

    Add gnutls.c and gnutls.lo to the appropriate variables so that
    gnutls support is compiled.

    Add the include if using GNU TLS for ldap_pvt_gnutls.h and the
    gnutls headers.  Surround OpenSSL using asn1_integer2str with
    trying to use TLS authentication in functions which need it when
    using GNU TLS since it is not supported.


		Stephen Frost
		Debian OpenLDAP co-maintainer

Attachment: pgpAmStjtIgpB.pgp
Description: PGP signature