[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7240) [PATCH] MozNSS: skip hostname check if peer certificate was not requested

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7240) [PATCH] MozNSS: skip hostname check if peer certificate was not requested
From: jvcelak@redhat.com
Date: Wed, 18 Apr 2012 08:37:48 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> Sounds like a simple sequencing bug then. Just initialize the global
> options
> before the first ldap_initialize() call.

Sudo parses the options in config file and stores them in a table:
http://www.sudo.ws/repos/sudo/file/6fa11e8448b9/plugins/sudoers/ldap.c#l225

This table is then iterated and all options are being set. The
problem is that some options are set with LDAP handle provided
and some are not. This means that the handle has to be created
before. The change proposed by you would require the change of
this well-arranged and transparent concept.

It can be a sequencing bug, but this particular situation is not
described anywhere. And OpenSSL has a different behavior. My patch
updates Mozilla NSS backend to behave the same as OpenSSL backend.

I still think this should be fixed in OpenLDAP rather than in sudo.

Jan

Prev by Date: Re: (ITS#7240) [PATCH] MozNSS: skip hostname check if peer certificate was not requested
Next by Date: Re: (ITS#7240) [PATCH] MozNSS: skip hostname check if peer certificate was not requested
Index(es):
- Chronological
- Thread