Control: severity -1 wishlist Hi Matt,
On Wed, Dec 09, 2020 at 01:07:11PM -0600, Matt Zagrabelny wrote:
Unfortunately FreeRADIUS is linked against openssl and cannot properly use Debian's libldap-2.4-2, which is linked against gnutls, for TLS communication.
I'm missing a lot of context here. Why does libldap's TLS library matter to freeradius? Is there a bug against freeradius I should read?
From what I understand Fedora is building openldap with openssl. If the licensing is a concern (due to OpenLDAP's license), Debian now considers openssl to be a system library. Thank you for considering this change.
For avoidance of doubt: I would rather not consider it for bullseye at this point, as the freeze is beginning soon. For bookworm it's definitely a possibility.
I have indeed heard that we consider openssl to be a system library now, and a couple of people pointed out that it's no longer mentioned in ftp-master's REJECT-FAQ. On the other hand at least one person has raised concerns[1] about whether it's a valid approach.
The main concern for me is a painful transition for users. The TLSCipherSuite setting is completely incompatible between the two (OpenSSL cipher lists and GnuTLS priority strings have completely different syntax) and the last time this was changed, there were bugs being reported about it for a long time afterward[2][3]. There are also some other, smaller differences in how they handle certificates[4] and probably other things.
When Red Hat transitioned from NSS to OpenSSL, they wrote an entire TLS shim module (tls_mc) to provide backward compatibility with existing NSS setups. Not sure if we'd actually need that much support, but that's to give you an idea of the amount of effort they considered justified.
I'm not saying the upgrade pain needs to block a transition, only that the benefits of the transition need to outweigh the pain, and that we need a better upgrade story than "oh btw your slapd/sssd/etc doesn't start anymore".
cheers, Ryan [1] https://lists.debian.org/debian-devel/2020/10/msg00168.html [2] https://bugs.debian.org/541256 [3] https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/comments/19 [4] https://bugs.openldap.org/show_bug.cgi?id=8586#c6
