Actually, I don't see sssd at all using TLS connections, does it? It seems that to perform ldaps connections, it uses libldap from openldap which in turn uses GnuTLS. And any and all TLS LDAPS options are simply passed through to the libldap.
Inspecting all sssd binary packages I can see that only p11_child is the only one using libssl and that does not do TLS.
libsss-certmap0 uses libcrypto.so.1.1 only for certificate parsing but not for TLS.
Thus changing nss => openssl backend should be immaterial to what sssd uses from them.
The only concern from me is to migrate custom certs that p11_child trusts, if there are any configured, and migration is needed between the backends. I don't know how to configure p11_child but I do have smartcard reader and multiple smartcards so happy to test things =)
Actually, I don't see sssd at all using TLS connections, does it? It seems that to perform ldaps connections, it uses libldap from openldap which in turn uses GnuTLS. And any and all TLS LDAPS options are simply passed through to the libldap.
Inspecting all sssd binary packages I can see that only p11_child is the only one using libssl and that does not do TLS.
libsss-certmap0 uses libcrypto.so.1.1 only for certificate parsing but not for TLS.
Thus changing nss => openssl backend should be immaterial to what sssd uses from them.
The only concern from me is to migrate custom certs that p11_child trusts, if there are any configured, and migration is needed between the backends. I don't know how to configure p11_child but I do have smartcard reader and multiple smartcards so happy to test things =)