--On Wednesday, January 14, 2009 7:29 PM +0000 [email protected] wrote: > [email protected] wrote: >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.13 >> OS: NA >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (75.111.29.239) >> >> >> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346 >> >> Summary from Simon Josefsson: >> >> A proper fix requires co-ordination with the OpenLDAP people. Either >> they 1) remove all strange code for parsing ciphers for GnuTLS and only >> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) >> they introduce a new configuration keyword TLS_PRIORITY that is is sent >> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts >> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS >> priority strings, so I would recommend 1). And improve the >> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS >> manual in the OpenLDAP documentation. > > Sounds like we should do (1). There was no such API in GnuTLS when our > support was written, which is why we had to go to the trouble of parsing > the cipher suites ourselves. I'm fine with ripping that all out, if > someone will tell us what minimum version of GnuTLS provides the new API.
Simon? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
