[Pkg-openldap-devel] Bug#510346: Bug#510346: new TLS_CIPHER_SUITE underdocumented
Steve Langasek
vorlon at debian.org
Thu Jan 15 03:52:12 UTC 2009
Hi Simon,
On Wed, Jan 14, 2009 at 03:03:32PM +0100, Simon Josefsson wrote:
> > However, after putting that string into TLS_CIPHER_SUITE
> Your mistake is that you assume that OpenLDAP passes the
> TLS_CIPHER_SUITE string to GnuTLS' priority string functions. Alas, it
> doesn't. Thus, your problem is a feature request really, for OpenLDAP
> to support GnuTLS priority strings.
> A proper fix requires co-ordination with the OpenLDAP people. Either
> they 1) remove all strange code for parsing ciphers for GnuTLS and only
> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
> they introduce a new configuration keyword TLS_PRIORITY that is is sent
> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts
> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
> priority strings, so I would recommend 1). And improve the
> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
> manual in the OpenLDAP documentation.
Hmm, does this mean Debian bug #464625 is fixed? The syntax you're
describing certainly includes a lot more overlap with OpenSSL syntax than
what I recall from the last time this came up, but perhaps the compatibility
isn't good enough that we would want to revert the changes from bug #462588
if openldap were patched to call gnutls_priority_set_direct()?
I would have been happy to pursue this sooner if I had known this might be
an option, but bug #464625 has seen no activity since May.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-openldap-devel
mailing list