[email protected] wrote: > On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu <[email protected]> wrote: >> The only reason GnuTLS support exists in OpenLDAP is because of Debian. >> Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that >> crap out. > > Sounds good to me. So a patch that removes gcrypt entirely looks like: > > ftp://ftp.openldap.org/incoming/20140630_rtandy_0001-ITS-7877-use-nettle-instead-of-gcrypt.patch > > (I assume the explicit threading setup is important, if not maybe the > gnutls_global_set_mutex part could be removed too...) > > That requires gnutls 2.12.0 or newer, so then I think we can also > remove the compatibility code for older versions: > > ftp://ftp.openldap.org/incoming/20140630_rtandy_0002-assume-gnutls-provides-cipher-suites.patch > ftp://ftp.openldap.org/incoming/20140630_rtandy_0003-assume-gnutls-is-at-least-2.12.0.patch > >> Just tell us at which version of GnuTLS you switched to nettle and we'll make >> that the minimum supported version. > > Debian builds gnutls with nettle starting from 3.0.0. The API used in > tls_g.c is all backend agnostic though. I tried with 2.12.20 (with > gcrypt backend) and everything looks fine in slapd and clients > including the threading setup. I think 2.12.0 as minimum version would > be fine, and then nettle vs gcrypt only matters for smbk5pwd users. > > Thanks for considering my patches.
Committed to master. I've also added a check for 2.12.0 to the configure script. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
