[Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem

Steve Langasek vorlon at debian.org
Sun Feb 3 18:56:34 UTC 2008 

A patch has been committed to the package svn tree to fix handling of cipher
lists, which leaves this issue:

On Tue, Jan 29, 2008 at 11:09:32AM -0800, Steve Langasek wrote:
> I'm not sure if we should also try to migrate the OpenSSL-specific cipher
> specs to GNUTLS equivalents as part of the package upgrade.

I had a poke around http://www.openssl.org/docs/apps/ciphers.html, which
lists all the various keywords recognized by OpenSSL.  Mapping these onto
the known GnuTLS ciphers using 'openssl ciphers -v' and 'gnutls-cli -l',
here's what I get:

MEDIUM -> TLS_ANON_DH_ARCFOUR_MD5:TLS_RSA_ARCFOUR_SHA1:TLS_RSA_ARCFOUR_MD5
HIGH -> TLS_ANON_DH_AES_256_CBC_SHA1:TLS_DHE_RSA_AES_256_CBC_SHA1:TLS_DHE_DSS_AES_256_CBC_SHA1:TLS_RSA_AES_256_CBC_SHA1:TLS_ANON_DH_AES_128_CBC_SHA1:TLS_DHE_RSA_AES_128_CBC_SHA1:TLS_DHE_DSS_AES_128_CBC_SHA1:TLS_RSA_AES_128_CBC_SHA1:TLS_ANON_DH_3DES_EDE_CBC_SHA1:TLS_DHE_RSA_3DES_EDE_CBC_SHA1:TLS_DHE_DSS_3DES_EDE_CBC_SHA1:TLS_RSA_3DES_EDE_CBC_SHA1
LOW -> empty list
DEFAULT: MED+HIGH, w/o ANON_DH, w/ TLS_RSA_EXPORT_ARCFOUR_40_MD5
EXP,EXPORT,EXPORT40 -> TLS_RSA_EXPORT_ARCFOUR_40_MD5
eNULL,NULL -> TLS_RSA_NULL_MD5
aNULL -> TLS_ANON_DH_AES_256_CBC_SHA1:TLS_ANON_DH_AES_128_CBC_SHA1:TLS_ANON_DH_3DES_EDE_CBC_SHA1:TLS_ANON_DH_ARCFOUR_MD5 
SSLv2 -> empty list

But this is only a partial list of the most relevant aliases; there are also
aliases for each authentication, key exchange, and encryption algorithm, and
OpenSSL supports various forms of negation and sorting that aren't supported
here by GnuTLS.

I'm pretty sure I don't want to implement support for migrating the full set
of OpenSSL cipher specs in shell. :P

Do you think converting the above aliases would be good enough coverage?  Or
do we need to provide some upgrade handling for all the possibilities, and
therefore we're doomed to add yet another debconf error message here?  In
the latter case I'm probably not going to spend the effort on auto-migrating
any of the values.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-openldap-devel mailing list