[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7042) [PATCH] allow unsetting of tls_* options for syncrepl



--=-H9Xw5XBDhIDPupeYRJLz
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I am the author of the patch at:
ftp://ftp.openldap.org/incoming/jvcelak-20110912-syncrepl-allow-unsetting-o=
f-tls-options.patch

and I want to argue in favor of it:

1) In a configuration using a simple bind to authenticate a client, you
have no choice but using ldaps to protect password sniffing: this
requires a SERVER certificate only.

2) Since primary and replicated servers can have their role reversed
(i.e.: after failure and/or recovery of the former primary server), the
configurations should be kept as symmetric as possible (except for
syncrepl) in order to speed-up switch: SSL in both servers should thus
have the same configuration.

3) syncrepl then forces SSL to use a client certificate rather than a
simple bind for authentication: this implies "normal" clients will also
need a certificate... we are then in a situation lying very far from
using ldaps for encryption only :-(

4) Using separate server and client certificates within a server,
although safer, does not resolve my problem.

For the above reason, I would really like to see my patch included in
openldap code, or at least an equivalent solution.

Because "third-party patch submissions cannot be accepted per our IPR
policies. The original author is required to submit their own patches.",
do you need me to re-submit it ?

Thanks in advance for your reply.
Regards,

Patrick Monnerat
DATASPHERE S.A.
16, chemin des Aulx
CH-1228 Plan-les-Ouates (GE)


--=-H9Xw5XBDhIDPupeYRJLz
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH/DCCA9Mw
ggK7oAMCAQICARQwDQYJKoZIhvcNAQEFBQAwgaIxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZHZW5l
dmExGDAWBgNVBAcTD1BsYW4tbGVzLU91YXRlczEYMBYGA1UEChMPREFUQVNQSEVSRSBTLkEuMSQw
IgYDVQQDExtEQVRBU1BIRVJFIG1haWwgc2VjdXJpdHkgQ0ExKDAmBgkqhkiG9w0BCQEWGWJ1cmVh
dXRpcXVlQGRhdGFzcGhlcmUuY2gwHhcNMTEwODIzMTM1MzAwWhcNMTIxMjMxMjM1OTAwWjCBvDEL
MAkGA1UEBhMCQ0gxDzANBgNVBAgTBkdlbmV2YTEYMBYGA1UEBxMPUGxhbi1sZXMtT3VhdGVzMRcw
FQYDVQQKEw5EQVRBU1BIRVJFIFMuQTEZMBcGA1UEAxMQUGF0cmljayBNb25uZXJhdDEtMCsGCSqG
SIb3DQEJARYecGF0cmljay5tb25uZXJhdEBkYXRhc3BoZXJlLmNoMR8wHQYJKoZIhvcNAQkBFhBw
bUBkYXRhc3BoZXJlLmNoMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzpT/ufabbhCa1JFvX
ZWLCDP8tPBxTilXjEFKAnNirdOc8Sj667iey7ypcgkA2QUZu+gHDSVD3iNRro2rQPdTzjnLCml5P
Up+AOB48X5jUwVbxihmAvtM21KQGZZwcmGdlj6AgY/Vxci48CRn+DzW6lY+VYCtf7HWhNHih4G1Y
IwIDAQABo3wwejAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR79vf/tmNLu8XwC0nU02j0WQLCzjAL
BgNVHQ8EBAMCA7gwKwYDVR0lBCQwIgYIKwYBBQUHAwQGCisGAQQBgjcCARUGCisGAQQBgjcCARYw
EQYJYIZIAYb4QgEBBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQA8gckFW7PMcfcFhZoVkI1ePP2f
XQ1UM4tChxfuPmKYXb2VbM2bYn33MiKnswlzsH/gDvQawYFKvRCehE5JiPUa42kGd8jXNzU8sRnm
uMHpjengOO3aLKZLAZRXS1dGjD9q3CQa/KDT31+ODWG7vztY8ZMBv008lb/eJvKt9ssm0cPTeKA9
/YenJzklzyY/MlNnW+zRce+3Ms4171wnrjKcA4J+Zyr0Ow1eEYzoIVEphT1WmybDPr0EJoueDUvH
9uz5cxRpxlIFY4jgTqhUQid/7uHrkaKU/OrADsOy2sGr4YpcvRpHseZZIA3Z8ovOHQ9J4WGviz9w
Z6gcTLtQu6baMIIEITCCAwmgAwIBAgIBEzANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCQ0gx
DzANBgNVBAgTBkdlbmV2YTEYMBYGA1UEBxMPUGxhbi1sZXMtT3VhdGVzMRgwFgYDVQQKEw9EQVRB
U1BIRVJFIFMuQS4xMjAwBgNVBAMTKURBVEFTUEhFUkUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eSAyMSgwJgYJKoZIhvcNAQkBFhlidXJlYXV0aXF1ZUBkYXRhc3BoZXJlLmNoMB4XDTExMDgy
MzEzNTEwMFoXDTMwMTIzMTIzNTkwMFowgaIxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZHZW5ldmEx
GDAWBgNVBAcTD1BsYW4tbGVzLU91YXRlczEYMBYGA1UEChMPREFUQVNQSEVSRSBTLkEuMSQwIgYD
VQQDExtEQVRBU1BIRVJFIG1haWwgc2VjdXJpdHkgQ0ExKDAmBgkqhkiG9w0BCQEWGWJ1cmVhdXRp
cXVlQGRhdGFzcGhlcmUuY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTbQAxPu9L
skt5ddMLzbS+bLQlW+gtcecHp9zL+x44dSXc663y6s+/XWxDbLZ0s+w6vp5CMB6pXxR5s8KfMDSC
22s7nq0t/BpQ1WfLkszG2JRs8BXIyrsDrFqYBBxcxiyyjzyQYVJg7qtPveUw9aQs53QCnZfXwG9s
H2crPnAzoOzx5jptWvA5aHLMKqaZbGztUANABqZfZEwwGS/YG3nHxOKnl+UvmueJWiMs+plendlA
5+UBrUAk46/1IFNyjMqaBR8bug7IovHB9sn/k999eHVeBiu1qeTo0tcDEMvSBTh5JqIkl5lH7TU+
wgVCBA2/Eo1ccrvFkgTmztocbMczAgMBAAGjUjBQMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FFxbVp/ZdU5YlwvAFPbbFg+jGWehMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwDQYJ
KoZIhvcNAQEFBQADggEBAH6oFynXqL8Tk6sA032VbJyibS8woHni0/ayhrcBdEORc/wvfmhEA2kK
9Yy4xEaprsxT0fFyBJ4YGYyXX4SkQdr0pRCDO/niL2woQmar5vq4v9xa2FgrWOh7jKcXuh/SMpGq
WZzQQTvYY0+X7SXX1+Ioje7rqzEDWNmzpp+mtPr/ENVmIxwTGEtXbDDLJN48sTmBDnKrca2UJrfU
EFDDHon9CBBg53u+JodQiJfSbraqwje1QrGCvOHkyBr3ulBmssePVQzPphON39pPgbJCoE7sd/WK
UX02QIorkbdaA8K/S38Ggc1xN9kNDE5tuClAYJSZUHeDnROgz1QncevRdKMxggGuMIIBqgIBATCB
qDCBojELMAkGA1UEBhMCQ0gxDzANBgNVBAgTBkdlbmV2YTEYMBYGA1UEBxMPUGxhbi1sZXMtT3Vh
dGVzMRgwFgYDVQQKEw9EQVRBU1BIRVJFIFMuQS4xJDAiBgNVBAMTG0RBVEFTUEhFUkUgbWFpbCBz
ZWN1cml0eSBDQTEoMCYGCSqGSIb3DQEJARYZYnVyZWF1dGlxdWVAZGF0YXNwaGVyZS5jaAIBFDAJ
BgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEx
MDIwMTYxMjEwWjAjBgkqhkiG9w0BCQQxFgQU/0S6iq+obCv1FnngaSJRbdoGRygwDQYJKoZIhvcN
AQEBBQAEgYBXOHzJGvDyRJTXk7jxmGjef5QY39Ziyodp0BIYwRukyAgQ273nzPxBga96lZog7obN
2qsnWxGi9RtGEyua27OacgUPOb9+vjX5/xb3DGol81GnBqOusj8ZrdNTa7i7lKmA+o7cFD3hM6o0
PLi3EqA3rsEgu65uGpWuuyS8rzeRFAAAAAAAAA==


--=-H9Xw5XBDhIDPupeYRJLz--