Bug#976991: libldap-2.4-2:amd64: Please consider building with openssl instead of gnutls
Matt Zagrabelny
mzagrabe at d.umn.edu
Wed Dec 9 20:00:04 GMT 2020
On Wed, Dec 9, 2020 at 1:45 PM Steve Langasek <vorlon at debian.org> wrote:
> On Wed, Dec 09, 2020 at 01:07:11PM -0600, Matt Zagrabelny wrote:
> > Unfortunately FreeRADIUS is linked against openssl and cannot properly
> use
> > Debian's libldap-2.4-2, which is linked against gnutls, for TLS
> > communication.
>
> Independent of questions of whether openldap should switch to openssl,
> could
> you elaborate why FreeRADIUS being linked against openssl causes a problem
> for a module linked against gnutls? The two implementations should be
> entirely independent and able to operate independently within the same
> process.
>
I agree. It should work. Why it doesn't...
Short answer. I don't know.
Medium answer: Upstream states that gnutls claims to be compatible with
openssl, but it isn't compatible. If you search the net for "Alan DeKok
openssl gnutls ldap" you'll get hits.
Long guessing answer: Perhaps the FR LDAP module (rlm_ldap) makes library
calls that it expects to behave a certain way. If gnutls is providing those
function endpoints, it might be failing because the module (rlm_ldap) is
using openssl specific semantics.
I can confirm empirically that FR using libldap* works when openldap is
built with openssl and fails when libldap* uses gnutls. It fails at the TLS
layer - that is, the TLS connection fails.
I would wager that upstream has no interest in modifying its code to work
with gnutls (or Mozilla NSS).
-m
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20201209/40ddd084/attachment.html>
More information about the Pkg-openldap-devel
mailing list