Bug#976991: libldap-2.4-2:amd64: Please consider building with openssl instead of gnutls
Matt Zagrabelny
mzagrabe at d.umn.edu
Wed Feb 2 18:53:59 GMT 2022
On Wed, Dec 9, 2020 at 2:23 PM Ryan Tandy <ryan at nardis.ca> wrote:
> I have indeed heard that we consider openssl to be a system library now,
> and a couple of people pointed out that it's no longer mentioned in
> ftp-master's REJECT-FAQ. On the other hand at least one person has
> raised concerns[1] about whether it's a valid approach.
I'm not familiar with the OpenLDAP Public License. Is it compatible
with Apache v2 license? That is the license for openssl v3.
>
> The main concern for me is a painful transition for users. The
> TLSCipherSuite setting is completely incompatible between the two
> (OpenSSL cipher lists and GnuTLS priority strings have completely
> different syntax) and the last time this was changed, there were bugs
> being reported about it for a long time afterward[2][3].
>From [2]:
Howard Chu <hyc at openldap.org> on Thu, 13 Aug 2009 11:15:48 -0700
"""
As software and security professionals, we cannot in good conscience stand
mute on the subject. The quality of the code in GnuTLS is obviously low, the
risk of security vulnerabilities is high, and the cost in maintenance is only
going up. Whether you want to hear it or not, we are obligated to state for
the record that using GnuTLS is a bad idea, because that's the objective truth.
"""
I don't know if that opinion holds any weight, but I'd consider the
freeradius ldap module (in package freeradius-ldap) broken due to the
openssl TLS specific code that FR uses.
Any traction on a gnutls -> openssl migration for openldap for bookworm?
Thanks for any info.
-m
More information about the Pkg-openldap-devel
mailing list