Quanah Gibson-Mount <[email protected]> writes: > --On Wednesday, January 14, 2009 7:29 PM +0000 [email protected] wrote: > >> [email protected] wrote: >>> Full_Name: Quanah Gibson-Mount >>> Version: 2.4.13 >>> OS: NA >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (75.111.29.239) >>> >>> >>> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510346 >>> >>> Summary from Simon Josefsson: >>> >>> A proper fix requires co-ordination with the OpenLDAP people. Either >>> they 1) remove all strange code for parsing ciphers for GnuTLS and only >>> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2) >>> they introduce a new configuration keyword TLS_PRIORITY that is is sent >>> to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts >>> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS >>> priority strings, so I would recommend 1). And improve the >>> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS >>> manual in the OpenLDAP documentation. >> >> Sounds like we should do (1). There was no such API in GnuTLS when our >> support was written, which is why we had to go to the trouble of parsing >> the cipher suites ourselves. I'm fine with ripping that all out, if >> someone will tell us what minimum version of GnuTLS provides the new API. > > Simon?
The APIs were released as stable for v2.2.0 on 2007-12-14. Perhaps you could have an autoconf test for gnutls_priority_set_direct and only enable the new code conditionally. /Simon
