Hi everyone,
I'm a software engineer with wolfSSL, which is a fast, lightweight, and FIPS-certified TLS implementation written in C. wolfSSL offers an OpenSSL compatibility layer that presents the same API as OpenSSL, but under the hood, calls into wolfSSL and woflCrypt (our crypto library) functions. One of our commercial users recently had us port OpenLDAP to use wolfSSL. With some modifications to the OpenSSL backend code (primarily in tls_o.c), I was able to get OpenLDAP 2.4.47 building and (to my knowledge) working with wolfSSL's OpenSSL compatibility layer. I recently reached out on your IRC channel to see if there was any interest in supporting wolfSSL as a TLS backend for OpenLDAP upstream and was directed to this mailing list (thanks JoBbZ). I was also pointed to this issue in your issue tracking system, where a developer (Quanah Gibson-Mount) expressed interest in using wolfSSL: https://bugs.openldap.org/show_bug.cgi?id=9303
Is there still interest in getting wolfSSL working with OpenLDAP's latest version and integrated upstream? If so, I imagine we'd want to make wolfSSL a first class citizen among the TLS backends (i.e. rather than using our OpenSSL compatibility layer and modifying tls_o.c, use wolfSSL's native functions and create a new tls_w.c). Looking forward to hearing from you.
Thanks!
Hayden Roche
Hayden Roche wrote:
Hi everyone,
Hi!
Sure, I've used wolfSSL before, I think it would be nice to have it as a first class option. I'm a bit leery of OpenSSL compatibility layers. LibreSSL tends to confuse all version number checks with theirs, so it's better to avoid that mess if possible.
I'm a software engineer with wolfSSL, which is a fast, lightweight, and FIPS-certified TLS implementation written in C. wolfSSL offers an OpenSSL compatibility layer that presents the same API as OpenSSL, but under the hood, calls into wolfSSL and woflCrypt (our crypto library) functions. One of our commercial users recently had us port OpenLDAP to use wolfSSL. With some modifications to the OpenSSL backend code (primarily in tls_o.c), I was able to get OpenLDAP 2.4.47 building and (to my knowledge) working with wolfSSL's OpenSSL compatibility layer. I recently reached out on your IRC channel to see if there was any interest in supporting wolfSSL as a TLS backend for OpenLDAP upstream and was directed to this mailing list (thanks JoBbZ). I was also pointed to this issue in your issue tracking system, where a developer (Quanah Gibson-Mount) expressed interest in using wolfSSL: https://bugs.openldap.org/show_bug.cgi?id=9303
Is there still interest in getting wolfSSL working with OpenLDAP's latest version and integrated upstream? If so, I imagine we'd want to make wolfSSL a first class citizen among the TLS backends (i.e. rather than using our OpenSSL compatibility layer and modifying tls_o.c, use wolfSSL's native functions and create a new tls_w.c). Looking forward to hearing from you.
Thanks!
Hayden Roche
--On Thursday, February 25, 2021 12:38 PM -0600 Hayden Roche haydenroche5@gmail.com wrote:
(thanks JoBbZ). I was also pointed to this issue in your issue tracking system, where a developer (Quanah Gibson-Mount)
Same person. ;)
Is there still interest in getting wolfSSL working with OpenLDAP's latest version and integrated upstream?
OpenLDAP 2.4 is closed to development. If you want this in for OpenLDAP 2.5, you'll need to get the work in ASAP, otherwise it will have to wait for 2.6
Generally:
Sign up for an account on our gitlab instance: https://git.openldap.org
Fork a copy of the openldap repo.
Create a branch for ITS9303 and do the work in that branch
Push the branch
Open a merge request for review
Additionally, you'll need to add an IPR statement to ITS#9303 as documented at https://www.openldap.org/devel/contributing.html#notice
A link to the MR should also be put into the ITS.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
-
Hayden Roche -
Howard Chu -
Quanah Gibson-Mount