Bug#976991: libldap-2.4-2:amd64: Please consider building with openssl instead of gnutls
Ryan Tandy
ryan at nardis.ca
Wed Dec 9 20:23:56 GMT 2020
Control: severity -1 wishlist
Hi Matt,
On Wed, Dec 09, 2020 at 01:07:11PM -0600, Matt Zagrabelny wrote:
>Unfortunately FreeRADIUS is linked against openssl and cannot properly use
>Debian's libldap-2.4-2, which is linked against gnutls, for TLS communication.
I'm missing a lot of context here. Why does libldap's TLS library matter
to freeradius? Is there a bug against freeradius I should read?
>From what I understand Fedora is building openldap with openssl.
>
>If the licensing is a concern (due to OpenLDAP's license), Debian now considers openssl
>to be a system library.
>
>Thank you for considering this change.
For avoidance of doubt: I would rather not consider it for bullseye at
this point, as the freeze is beginning soon. For bookworm it's
definitely a possibility.
I have indeed heard that we consider openssl to be a system library now,
and a couple of people pointed out that it's no longer mentioned in
ftp-master's REJECT-FAQ. On the other hand at least one person has
raised concerns[1] about whether it's a valid approach.
The main concern for me is a painful transition for users. The
TLSCipherSuite setting is completely incompatible between the two
(OpenSSL cipher lists and GnuTLS priority strings have completely
different syntax) and the last time this was changed, there were bugs
being reported about it for a long time afterward[2][3]. There are also
some other, smaller differences in how they handle certificates[4] and
probably other things.
When Red Hat transitioned from NSS to OpenSSL, they wrote an entire
TLS shim module (tls_mc) to provide backward compatibility with existing
NSS setups. Not sure if we'd actually need that much support, but that's
to give you an idea of the amount of effort they considered justified.
I'm not saying the upgrade pain needs to block a transition, only that
the benefits of the transition need to outweigh the pain, and that we
need a better upgrade story than "oh btw your slapd/sssd/etc doesn't
start anymore".
cheers,
Ryan
[1] https://lists.debian.org/debian-devel/2020/10/msg00168.html
[2] https://bugs.debian.org/541256
[3] https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/comments/19
[4] https://bugs.openldap.org/show_bug.cgi?id=8586#c6
More information about the Pkg-openldap-devel
mailing list