jvcelak@redhat.com wrote:

Full_Name: Jan Vcelak Version: git master OS: Linux URL: ftp://ftp.openldap.org/incoming/jvcelak-20120823-moznss-update-list-of-cipher-suites.patch Submission from: (NULL) (209.132.186.34)

I'm attaching patch which updates the list of supported cipher suites for Mozilla NSS backend. All ciphers currently implemented in NSS (3.13.5) are included.

Recall what I said in ITS#7388 about an endless stream of patches to an unmaintainable code base...

This is completely the wrong approach. There is no way you should be putting hardcoded constants in libldap that are tied to specific MozNSS versions. The MozNSS library needs to provide a cipher enumerator API.

There were 11 MozNSS patches in 2.4.32. Looks like 5 more waiting for review here, plus 2 already committed for 2.4.33. We will not accept patches that require constant revisiting every time NSS updates. This is too much. No more.

Tell the NSS guys to fix their design, or tell Red Hat to use a crypto library that actually works for the intended purpose. MozNSS clearly doesn't.

Default ciphers are selected on the same basis as in OpenSSL. NULL/EXPORT/LOW/MEDIUM/HIGH classification is taken from OpenSSL as well.

The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under the following terms.

Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.