ryan@nardis.ca wrote:
On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu hyc@symas.com wrote:
The only reason GnuTLS support exists in OpenLDAP is because of Debian. Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that crap out.
Sounds good to me. So a patch that removes gcrypt entirely looks like:
ftp://ftp.openldap.org/incoming/20140630_rtandy_0001-ITS-7877-use-nettle-instead-of-gcrypt.patch
(I assume the explicit threading setup is important, if not maybe the gnutls_global_set_mutex part could be removed too...)
That requires gnutls 2.12.0 or newer, so then I think we can also remove the compatibility code for older versions:
ftp://ftp.openldap.org/incoming/20140630_rtandy_0002-assume-gnutls-provides-cipher-suites.patch ftp://ftp.openldap.org/incoming/20140630_rtandy_0003-assume-gnutls-is-at-least-2.12.0.patch
Just tell us at which version of GnuTLS you switched to nettle and we'll make that the minimum supported version.
Debian builds gnutls with nettle starting from 3.0.0. The API used in tls_g.c is all backend agnostic though. I tried with 2.12.20 (with gcrypt backend) and everything looks fine in slapd and clients including the threading setup. I think 2.12.0 as minimum version would be fine, and then nettle vs gcrypt only matters for smbk5pwd users.
Thanks for considering my patches.
Committed to master. I've also added a check for 2.12.0 to the configure script.
-
hyc@symas.com