Comment 3 for bug 1905790
Revision history for this message
| Robie Basak (racb) wrote Re: [Bug 1905790] Re: Recompile SSSD in 20.04 using OpenSSL (instead of NSS) support | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On Tue, Dec 01, 2020 at 03:33:45AM -0000, Marco Trevisan (Treviño) wrote:
> Probably not enough to compare, but from what I see in these matrices
> [4], there's basically nothing that NSS supports and OpenSSL doesn't
> (while it's true the other way around).
OK, but what about build configuration and default enabled cryptosuites
and suchlike? For example we've "locked down" OpenSSL's default
configuration to no longer support some older cryptosuites. Will
swapping NSS for OpenSSL cause user configurations to narrow the set of
cryptosuites that are enabled?
What if, for example, someone has an LDAP server that only supports
older TLS, and switching to OpenSSL causes their sssd LDAP TLS client to
require newer TLS because of our stronger defaults? What I describe
would result in a regression for that user until they reconfigure
things. Is this a realistic possibility?
> Not to mention that we already switched to an OpenSSL-based version of
> SSSD in 21.10, and even if its user base can't be compared to 20.04, so
> far I didn't read about related issues [5].
I think you're thinking of functional regressions here (ie. introducing
actual bugs), whereas I'm more bothered about regressing edge case user
configurations (eg. introducing a change that requires users to change
their local configurations to avoid a behavioural regression).