[Pkg-openldap-devel] Bug#541256: Bug#541256: Bug#541256: TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1
Steve Langasek
vorlon at debian.org
Thu Aug 13 10:42:56 UTC 2009
tags 541256 confirmed
thanks
On Wed, Aug 12, 2009 at 02:49:05PM -0700, Quanah Gibson-Mount wrote:
> >Note that a difference for GnuTLS with 2.4.17 is that it uses gcrypt if a
> >newer GnuTLS is detected, so it is possible gcrypt is broken.
> Please see the upstream comments. The issue is broken behavior on
> GnuTLS' part.
This appears to be caused by our switch to using GnuTLS's cipher suite
parsing functions in 2.4.14 (due to ITS#5887). The syntax that GnuTLS
uses is quite different from what we were using in 2.4.13 and earlier.
A change in behavior because OpenLDAP has switched to using a different
parser for cipher suites than what was in place previously isn't "broken
behavior on GnuTLS' part". Your continuous maligning of GnuTLS in Debian
bug reports is unhelpful; we cannot ship libldap linked against OpenSSL for
license reasons, so reminding us how much you disapprove of GnuTLS isn't
going to change anything - aside from discouraging me from spending time on
bug mail for the openldap package.
If the current parser behavior is going to remain in place (which is not yet
clear), then we should address this in the packaging on upgrade, either by
converting the TLSCipherSuite values automatically or at minimum by
notifying the user that an adjustment will be needed.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-openldap-devel
mailing list