[Csync2] csync2 without gnutls-openssl?
Lars Ellenberg
lars.ellenberg at linbit.com
Tue Jul 27 14:26:01 CEST 2010
On Mon, Jul 26, 2010 at 11:17:43PM +0200, Giampaolo Tomassoni wrote:
> > It would appear that RHEL have, in their infinite wisdom, dropped
> > gnutls-openssl.so libraries from gnutls because there appears to be a
> > namespace clash somewhere:
> > https://bugzilla.redhat.com/show_bug.cgi?id=460310
> >
> > RHEL6b2 has had these removed, and it seems the F13+ gnutls will be
> > having it removed, too.
> >
> > Can csync2 developers suggest a reasonable long-term solution to this?
> > RH seem unwilling to consider unbreaking this:
> > https://bugzilla.redhat.com/show_bug.cgi?id=617558
>
> I dropped my own dirty patch to this ng some months ago (sometime aroung
> november 2009), but it seems it didn't (yet) find its way to the csync2
> official code.
Did you post to this ML, too?
> You may eventually get a copy of the patch here:
>
> http://bugs.gentoo.org/attachment.cgi?id=210768
>
> which is an attachment from Gentoo bug#274213
> (http://bugs.gentoo.org/show_bug.cgi?id=274213).
I'll push it into csync2 svn.
> The patch basically "discards" all the gnutls-openssl mess and gets straight
> to gnutls native mode. This also *may* mean that one can expect some
> interoperability issues after upgrade, because of a *possible* different
> handling of the chain-of-trust in server and client certificates between
> gnutls-openssl calls and gnutls ones. Anyway, I have no report of this at
> the time.
Chain of trust is sort-of ignored, anyways, by csync2 :(
IIRC, on _first_ connect of two hosts, it is checked, don't know in what
depth, and the fingerprint of the cert is stored in some sqlite table.
Once that (fingerprint, hostname) tuple is there, the certificates are no
longer checked for anything but for matching that fingerprint, hostname.
BTW, we are toying around with an "ssh-tunnel mode".
Some preparation has been done, but it is not quite ready yet.
--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
More information about the Csync2
mailing list