[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: tls restructuring

To: Philip Guenther <guenther+ldapdev@sendmail.com>
Subject: Re: HEADS UP: tls restructuring
From: Howard Chu <hyc@symas.com>
Date: Tue, 12 Aug 2008 15:07:28 -0700
Cc: OpenLDAP Devel <openldap-devel@openldap.org>
In-reply-to: <alpine.BSO.1.10.0808121534130.14830@vanye.mho.net>
References: <48A1FF02.9030608@symas.com> <alpine.BSO.1.10.0808121534130.14830@vanye.mho.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.0.2pre) Gecko/2008080913 SeaMonkey/2.0a1pre

Philip Guenther wrote:

On Tue, 12 Aug 2008, Howard Chu wrote:

I've split all of the OpenSSL and GnuTLS-specific code into their own
separate source files, to clean up some of the #ifdef mess that was in
tls.c before. This approach actually allows support for both to be
compiled in at the same time. I'll probably add an LDAP_OPT_X option to
select which implementation to use at runtime. (It might make sense to
make these dynamically loadable modules, but for now I don't want to
make libldap dependent on ltdl/dlopen/whatever.)


Hah.  I was going to be submitting an ITS/patch later this week to add an
ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option
(TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and
SSLv3.  I guess I'll wait until your changes go in and redo it against the
new layout.

(My patch only adds this for OpenSSL)


GnuTLS doesn't implement SSLv2, so it's kind of a moot point there.

There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now
returns a pointer to a privately defined structure. For GnuTLS this is
in fact the same behavior as before. For OpenSSL this is a change; it
used to return the actual (SSL *). If this is going to break something
of yours, holler now...


Ick.  If the meaning of the option is going to change, please change the
name at the same time.


Yeah, it's pretty much ugly all around.

It may be best to reserve the old options exclusively for OpenSSL, and introduce new options for the generic/private structure. This means code that doesn't expect libldap to be built with GnuTLS will get failure results on those options in that situation.

That's also ugly, because there's a lot of code out there that doesn't care what the return structure is, because it's only being stored to be fed back into libldap later... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: HEADS UP: tls restructuring
  - From: Philip Guenther <guenther+ldapdev@sendmail.com>

References:
- HEADS UP: tls restructuring
  - From: Howard Chu <hyc@symas.com>
- Re: HEADS UP: tls restructuring
  - From: Philip Guenther <guenther+ldapdev@sendmail.com>

Prev by Date: Re: HEADS UP: tls restructuring
Next by Date: Re: HEADS UP: tls restructuring
Index(es):
- Chronological
- Thread