Quanah Gibson-Mount quanah@zimbra.com writes:
--On Wednesday, January 14, 2009 7:29 PM +0000 hyc@symas.com wrote:
quanah@OpenLDAP.org wrote:
Full_Name: Quanah Gibson-Mount Version: 2.4.13 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239)
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346
Summary from Simon Josefsson:
A proper fix requires co-ordination with the OpenLDAP people. Either they 1) remove all strange code for parsing ciphers for GnuTLS and only use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) they introduce a new configuration keyword TLS_PRIORITY that is is sent to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS priority strings, so I would recommend 1). And improve the documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS manual in the OpenLDAP documentation.
Sounds like we should do (1). There was no such API in GnuTLS when our support was written, which is why we had to go to the trouble of parsing the cipher suites ourselves. I'm fine with ripping that all out, if someone will tell us what minimum version of GnuTLS provides the new API.
Simon?
The APIs were released as stable for v2.2.0 on 2007-12-14. Perhaps you could have an autoconf test for gnutls_priority_set_direct and only enable the new code conditionally.
/Simon