[Pkg-openldap-devel] Bug#465170: confirmed in 2.4.39-1
Ryan Tandy
ryan at nardis.ca
Tue May 13 19:09:01 UTC 2014
reassign 465170 libldap-2.4-2
found 465170 2.4.39-1
thanks
Hi,
I confirm this bug in current unstable.
Built against libssl-dev, ldap-utils and slapd (if running in the
foreground) automatically prompt for the PEM passphrase; AFAICT that's
provided by libssl (SSL_CTX_use_PrivateKey_file) itself.
Built against libgnutls-dev or libgnutls28-dev, the encrypted private
key cannot be used, since gnutls doesn't implement a similar automatic
prompt.
Alex already asked gnutls upstream about this:
http://lists.gnupg.org/pipermail/gnutls-help/2008-May/001293.html
Since gnutls 2.11.1 gnutls_x509_privkey_import already tries PKCS#8
format if the key isn't PEM or DER; and indeed ldapsearch in Debian is
already able to use PKCS#8 private keys as long as they aren't
encrypted (openssl pkcs -topk8 -nocrypt, or similar).
There's also an open ITS upstream for reading encrypted PKCS#8 keys,
last message being "submit a patch":
http://www.openldap.org/its/?findid=7221
The changes to support gnutls_x509_privkey_import_pkcs12 and
gnutls_x509_privkey_import_openssl (for the encrypted PEM format)
would probably be similar to the ones suggested in that ITS. I guess a
password prompt also has to be implemented; I don't see a built-in one
in gnutls.
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list