Greetings,
Attached is a patch which adds support for GNU TLS in place of
OpenSSL for transport encryption. It was written by Steve Langasek
and the copyright for it is included in the patch (LGPL). By using
this patch Debian will now be able to distribute TLS-enabled OpenLDAP
libraries and GPL programs which use them. This means TLS-enabled
OpenLDAP libraries and servers will be included by default in the next
Debian release and in Debian's 'testing' archive.
(Patch not included due to making message too long for this list, you
can find it here: http://snowman.net/openldap-gnutls2.patch )
Notes:
* SASL external with TLS certificates for TLS authentication
is not supported yet (see below).
* GNU TLS does not support a 'trace' option.
* GNU TLS is currently set as 'preferred' if both GNU TLS and
OpenSSL are available. This can be easily changed.
* install-sh was added since configure generated with autoconf
2.57 complained about it missing.
* This patch was made against 2.1.17 but will apply almost
cleanly against 2.1.21 and has been tested with both.
This patch has been tested and works in all configurations:
GNU TLS client -> GNU TLS server
GNU TLS client -> OpenSSL server
OpenSSL client -> GNU TLS server
OpenSSL client -> OpenSSL server (previously supported)
This patch has not been tested under heavy load yet. We would
appriciate feedback from anyone who has the opportunity to do such
testing.
We feel this patch is ready for inclusion into OpenLDAP with the
caveat that people using it should be aware that support was newly
added and so there is higher probability of bugs until more exposure
and testing is done. We would be happy to file an ITS for inclusion
of this patch if this list feels it will be included.
Below is more detailed information about the patch:
The patch adds the files:
include/ldap_pvt_gnutls.h
headers for the internal GNUTLS/OpenSSL wrapper
libraries/libldap/gnutls.c
Compatibility wrapper for calling GNU TLS with the OpenSSL API
build/install-sh
Added because configure complained about it being missing after
running autoconf && autoheaders (autoconf version 2.57-5).
The patch modifies the files:
configure.in
Add gnutls option with appropriate header checks, if GNU TLS is
available it will be used in preference to OpenSSL. This can be
easily changed to make OpenSSL the preference, of course.
libraries/libldap/Makefile.in
Add gnutls.c and gnutls.lo to the appropriate variables so that
gnutls support is compiled.
libraries/libldap/getdn.c
Add Stub function: disable this for now, there's a lot of conversion
code that needs to be written to make this work with GNUTLS (OIDs,
etc). (Function is: ldap_X509dn2bv). Note: This means that SASL
external with TLS certificates for TLS authentication will not work
when using GNU TLS. We hope that someone who uses this will be
willing to add the support for this.
libraries/libldap/tls.c
Add the appropriate include for the gnutls headers. Move OpenSSL
specific prototypes and functions into #ifndef HAVE_GNUTLS_GNUTLS_H
blocks. Note: GNU TLS does not support a 'trace' option. GNU TLS
also does not support SSL version 2. This also adds sections to
certain functions for GNU TLS support where necessary.
libraries/libldap_r/Makefile.in
Add gnutls.c and gnutls.lo to the appropriate variables so that
gnutls support is compiled.
servers/slapd/schema_init.c
Add the include if using GNU TLS for ldap_pvt_gnutls.h and the
gnutls headers. Surround OpenSSL using asn1_integer2str with
#ifndef HAVE_GNUTLS_GNUTLS_H. return LDAP_INVALID_SYNTAX when
trying to use TLS authentication in functions which need it when
using GNU TLS since it is not supported.
Thanks,
Stephen Frost
Debian OpenLDAP co-maintainer
Attachment:
pgpAmStjtIgpB.pgp
Description: PGP signature