[Pkg-openldap-devel] Bug#510346: Bug#510346: new TLS_CIPHER_SUITE underdocumented
Simon Josefsson
simon at josefsson.org
Thu Jan 15 07:59:03 UTC 2009
Steve Langasek <vorlon at debian.org> writes:
> Hi Simon,
>
> On Wed, Jan 14, 2009 at 03:03:32PM +0100, Simon Josefsson wrote:
>
>> > However, after putting that string into TLS_CIPHER_SUITE
>
>> Your mistake is that you assume that OpenLDAP passes the
>> TLS_CIPHER_SUITE string to GnuTLS' priority string functions. Alas, it
>> doesn't. Thus, your problem is a feature request really, for OpenLDAP
>> to support GnuTLS priority strings.
>
>> A proper fix requires co-ordination with the OpenLDAP people. Either
>> they 1) remove all strange code for parsing ciphers for GnuTLS and only
>> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
>> they introduce a new configuration keyword TLS_PRIORITY that is is sent
>> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts
>> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
>> priority strings, so I would recommend 1). And improve the
>> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
>> manual in the OpenLDAP documentation.
>
> Hmm, does this mean Debian bug #464625 is fixed?
Alas, no. The syntax is still different.
> The syntax you're describing certainly includes a lot more overlap
> with OpenSSL syntax than what I recall from the last time this came
> up, but perhaps the compatibility isn't good enough that we would want
> to revert the changes from bug #462588 if openldap were patched to
> call gnutls_priority_set_direct()?
That bug seems to fix several issues, so I'm not sure what you refer to.
> I would have been happy to pursue this sooner if I had known this might be
> an option, but bug #464625 has seen no activity since May.
To avoid configuration file compatibility, maybe there should be a new
keyword GNUTLS_CIPHER_SUITE instead that is documented to only be for
gnutls priority strings, and let TLS_CIPHER_SUITE be documented for only
OpenSSL strings. If openldap is linked with GnuTLS, it would refuse to
start if TLS_CIPHER_SUITE is defined, and vice versa. But maybe this
just complicates the issue further..
I guess the simplest is to let TLS_CIPHER_SUITE result in calling
gnutls_priority_* on the string, and document that the syntax of that
configuration keyword depends on whether you use GnuTLS or OpenSSL.
/Simon
More information about the Pkg-openldap-devel
mailing list