Re: Forcing SSLv3 with Openldap 2.0.11

[Scott Russell <lnxgeek@us.ibm.com>]

Howard -

Thanks much. Just so I'm clear on what you're suggesting I do..

Do you mean that I should just change the SSLv23_method() in tls.c and
rebuild the openldap libs or do you mean I should do my own tls_def_ctx over
rides in the source code of the program I'm working with?

-- Scott

On Wed, Oct 03, 2001 at 07:28:46PM -0700, Howard Chu wrote:
> Doesn't look like anything you can configure in ldap.conf. The only way I
> can
> see to do this is to override the tls_def_ctx that the library creates. You
> do this by creating your own context and setting it with
> 
> 	SSL_CTX *ctx = SSL_CTX_new(SSLv3_method());
> 
> 		/* ... many other context initializations ... */
> 
> 	ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, ctx );
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Scott Russell
> > Sent: Wednesday, October 03, 2001 7:12 PM
> > To: openldap-software@OpenLDAP.org
> > Subject: Forcing SSLv3 with Openldap 2.0.11
> >
> >
> > How do I force SSLv3 with openldap 2.0.11 libs? It appears from looking at
> > openldap/libraries/libldap/tls.c that SSLv23 is used by default
> > with no way
> > to change this.
> >
> > I understand that in a perfect world SSLv23 would work but with
> > the internal
> > LDAP server, which is arguably broken, SSLv23 fails while SSLv3 works.
> >
> > Something I can add to /etc/ldap.conf perhaps?
> >
> > Thanks for the help
> >

-- 
Regards,
 Scott Russell (lnxgeek@us.ibm.com)
 Linux Technology Center, System Admin, RHCE.
 T/L 441-9289 / External 919-543-9289
 http://bzimage.raleigh.ibm.com/webcam