Re: New OpenLDAP TLS backend? (wolfSSL)
Hayden Roche wrote:
Hi everyone,
Hi!
Sure, I've used wolfSSL before, I think it would be nice to have it as a first class
option. I'm a bit leery
of OpenSSL compatibility layers. LibreSSL tends to confuse all version number checks with
theirs, so
it's better to avoid that mess if possible.
I'm a software engineer with wolfSSL, which is a fast, lightweight, and
FIPS-certified TLS implementation written in C. wolfSSL offers an OpenSSL compatibility
layer that presents the same API as OpenSSL, but under the hood, calls into wolfSSL and
woflCrypt (our crypto library) functions. One of our commercial users
recently had us port OpenLDAP to use wolfSSL. With some modifications to the OpenSSL
backend code (primarily in tls_o.c), I was able to get OpenLDAP 2.4.47
building and (to my knowledge) working with wolfSSL's OpenSSL compatibility layer. I
recently reached out on your IRC channel to see if there was any interest
in supporting wolfSSL as a TLS backend for OpenLDAP upstream and was directed to this
mailing list (thanks JoBbZ). I was also pointed to this issue in your
issue tracking system, where a developer (Quanah Gibson-Mount) expressed interest in
using wolfSSL: https://bugs.openldap.org/show_bug.cgi?id=9303
Is there still interest in getting wolfSSL working with OpenLDAP's latest version and
integrated upstream? If so, I imagine we'd want to make wolfSSL a first
class citizen among the TLS backends (i.e. rather than using our OpenSSL compatibility
layer and modifying tls_o.c, use wolfSSL's native functions and create a
new tls_w.c). Looking forward to hearing from you.
Thanks!
Hayden Roche
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/