On 10/03/2012 10:18 AM, Howard Chu wrote: > Thanks for your comments, Rich. > > ri...@stanfordalumni.org wrote: >>> On Tuesday 02 of October 2012 14:18:49, h...@symas.com wrote: >>>> Back to this point - surely OpenLDAP libldap is not the only piece of >>>> software that expects to use OpenSSL-style cipher suite names. >>>> libldap is >>>> certainly not the best place to put this translation. >>> I'm not sure about that. We tried to go a "compatible" way with >>> OpenLDAP, >>> don't know about other projects. I will take a look. >> This is the nss_compat_ossl library approach, which attempts to make >> moznss look as much like openssl as possible to applications. I thought >> about trying to use that with openldap a few years ago when we first >> started looking at having openldap support moznss, but Howard had >> already done a great deal of work to make the tls code "pluggable" with >> tls2.c and tls_m.c, which takes the approach of using the moznss code >> directly rather than indirectly through another layer . This has been >> the preferred approach of the Red Hat and Fedora teams that were >> attempting to replace openssl with moznss. nss_compat_ossl has not been >> actively worked on for a couple of years, and would require many changes >> to support multi-init, multiple key/cert databases, and other fixes that >> have gone into tls_m.c. >> >> I suppose we could try to get some sort of openssl cipher name support >> directly in upstream moznss, but they would probably assert that it >> doesn't belong there either. >> >> Maybe we could use nss_compat_ossl to do the mapping of cipher names >> from openssl to moznss? > > That makes sense to me, although if as you say it hasn't been actively > maintained, that sounds like another problem. But certainly if other > apps are using it, then aren't they going to want new cipher suite > support too? > Yes, and imho nss_compat_ossl is the place to do this.
But, would it be possible to update the cipher suite list in tls_m.c first, to bring it up to date, then work on updating the compat library?
