Bug#976991: libldap-2.4-2:amd64: Please consider building with openssl instead of gnutls

Ryan Tandy ryan at nardis.ca
Wed Dec 9 20:23:56 GMT 2020 

Control: severity -1 wishlist

Hi Matt,

On Wed, Dec 09, 2020 at 01:07:11PM -0600, Matt Zagrabelny wrote:
>Unfortunately FreeRADIUS is linked against openssl and cannot properly use
>Debian's libldap-2.4-2, which is linked against gnutls, for TLS communication.

I'm missing a lot of context here. Why does libldap's TLS library matter 
to freeradius? Is there a bug against freeradius I should read?

>From what I understand Fedora is building openldap with openssl.
>
>If the licensing is a concern (due to OpenLDAP's license), Debian now considers openssl
>to be a system library.
>
>Thank you for considering this change.

For avoidance of doubt: I would rather not consider it for bullseye at 
this point, as the freeze is beginning soon. For bookworm it's 
definitely a possibility.

I have indeed heard that we consider openssl to be a system library now, 
and a couple of people pointed out that it's no longer mentioned in 
ftp-master's REJECT-FAQ. On the other hand at least one person has 
raised concerns[1] about whether it's a valid approach.

The main concern for me is a painful transition for users. The 
TLSCipherSuite setting is completely incompatible between the two 
(OpenSSL cipher lists and GnuTLS priority strings have completely 
different syntax) and the last time this was changed, there were bugs 
being reported about it for a long time afterward[2][3]. There are also 
some other, smaller differences in how they handle certificates[4] and 
probably other things.

When Red Hat transitioned from NSS to OpenSSL, they wrote an entire 
TLS shim module (tls_mc) to provide backward compatibility with existing 
NSS setups. Not sure if we'd actually need that much support, but that's 
to give you an idea of the amount of effort they considered justified.

I'm not saying the upgrade pain needs to block a transition, only that 
the benefits of the transition need to outweigh the pain, and that we 
need a better upgrade story than "oh btw your slapd/sssd/etc doesn't 
start anymore".

cheers,
Ryan

[1] https://lists.debian.org/debian-devel/2020/10/msg00168.html
[2] https://bugs.debian.org/541256
[3] https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/comments/19
[4] https://bugs.openldap.org/show_bug.cgi?id=8586#c6

More information about the Pkg-openldap-devel mailing list