On Tue, 2008-05-27 at 10:40 -0400, James Carlson wrote: > Shi-Ying Irene Huang writes: > > This fast-track increments the version of GnuTLS in Solaris > > from 1.6.3 to 2.2.4. > > What I can't quite tell from this document is whether applications > compiled against 1.6.3 will work with 2.2.4. > > Are there incompatible changes being made? If so, then what is the > impact of those changes? What depends on them and how will they > coordinate?
To adapt to changes in the TLS extension specifications for SRP, the GnuTLS API had to be modified. This means breaking the API and ABI backwards compatibility. Generally, most applications does not need to be modified. Just re-compile them against the latest GnuTLS release, and it should work fine. Applications that use the SRP features needs to be modified. Below is a list of the modified APIs and discussion of what the minimal things you need to modify in your application to make it work with GnuTLS 2.2.4. Note that GnuTLS 2.2.4 also introduces new APIs -- such as gnutls_set_priority() that is superior to gnutls_set_default_priority() -- that you may want to start using. However, using those new APIs is not required to use GnuTLS 2.2.4 since the old functions are still supported. > What breaks? XML related changes ------------------- The function `gnutls_x509_crt_to_xml' has been removed. It has been deprecated and only returned an error code since GnuTLS version 1.2.11. TLS Authorization related changes --------------------------------- Everything related to TLS authorizations have been removed, they were only stub functions that returned an error code: GNUTLS_SUPPLEMENTAL_AUTHZ_DATA gnutls_authz_data_format_type_t gnutls_authz_recv_callback_func gnutls_authz_send_callback_func gnutls_authz_enable gnutls_authz_send_x509_attr_cert gnutls_authz_send_saml_assertion gnutls_authz_send_x509_attr_cert_url gnutls_authz_send_saml_assertion_url SRP related changes ------------------- The callback gnutls_srp_client_credentials_function has a new prototype, and its semantic has changed. You need to rewrite the callback, see the updated function documentation and SRP example code (doc/examples/ex-client-srp.c and doc/examples/ex-serv-srp.c) for more information. The alert codes GNUTLS_A_MISSING_SRP_USERNAME and GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert is used. There are #define's to map the old names to the new. You may run into problems if you have a switch-case with cases for both SRP alerts, since they are now mapped to the same value. The solution is to drop the SRP alerts from such switch cases, as they are now deprecated in favor of GNUTLS_A_UNKNOWN_PSK_IDENTITY. > > Note: > > The "extra" GnuTLS libraries -- which contains OpenPGP and TLS/IA > > support, LZO compression, the OpenSSL compatibility library -- > > and the self tests and command line tools are distributed under > > the GNU General Public License version 3.0 (or later), therefore, > > we remove them. > > Yikes. Subordinating system architecture and open source > compatibility to legal review seems like a long-term mistake. > > Is anyone looking at this problem? Or will Open Solaris (despite the > best efforts of the Indiana team and the ARC "gang of four") just > drift away from Linux as more things become GPLv3? > Sun's legal people tole me that "???Sun prefers not to use GPL v3, Sun prefers to use GPL v2". Once legal people allow us to ship libraries or applications in GPL v3, we will enable the "extra" libraries. Jeff
