Bug#733295: gnutls-bin: please compile GnuTLS with DANE support
Luca Bruno
lucab at debian.org
Tue Nov 17 13:40:58 UTC 2015
On Tue, 24 Mar 2015 23:11:51 +0100 Cyril Brulebois <kibi at debian.org> wrote:
> > > 3. Yet another way might be to teach unbound to support GnuTLS in
> > > addition to OpenSSL and NSS, so that one can build a GnuTLS variant
> > > instead of an NSS one.
> > option 3 would require probably using nettle as well as gnutls (for the
> > dnssec client verification) -- i'm not sure what sort of twisty maze of
> > dependencies or build-dependencies this creates, though :)
>
> Oh, nettle is an old friend (we use it as a sha1 implementation in
> xserver-xorg-core-udeb).
> > libunbound should only depend on libssl for the purposes of outbound
> > DNS-over-TLS-over-TCP connections, right? the DNSSEC verification work
> > only needs to use libcrypto (or nettle, if we were to port it, which
> > would avoid the circularity).
>
> I really don't know. You can pretend somebody jumped on me asking
> whether I was part of Debian and mentioned this issue that has been
> tagged wontfix. That wouldn't be very far from what happened. ;)
>
> I can add nettlifying unbound to my ever growing to-do list, and see
> what codepaths are involved there. Maybe someone even did that work
> upstream already, I didn't check yet.
I went ahead and coded the "nettlify libunbound" part, which is basically
option 3 proposed above.
I run this through upstream and they merged it today:
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=594
This changes only touch libunbound (and the testcases) to build with nettle,
while the rest of unbound still needs openssl or NSS (mostly for TLS).
Cheers, Luca
--
.''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso)
: :' : The Universal O.S. | lucab (AT) debian.org
`. `'` | GPG: 0xBB1A3A854F3BBEBF
`- http://www.debian.org | Debian GNU/Linux Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20151117/080c308c/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list