OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/8805
Full headers

From: cheimes@redhat.com
Subject: Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 15 Feb 2018 15:46:00 +0000
From: cheimes@redhat.com
To: openldap-its@OpenLDAP.org
Subject: Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
Full_Name: Christian Heimes
Version: 2.4.45
OS: Fedora
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:16b8:607e:f300:6312:6da:8e63:dfa2)


The documentation for ldap_set_option LDAP_OPT_X_TLS_NEWCTX is wrong or at least
misleading. The man page https://linux.die.net/man/3/ldap_set_option describes
the option as:

> Instructs the library to create a new TLS library context. invalue must be
const int *. A non-zero value pointed to by invalue tells the library to create
a context for a server.

However tls2 creates a new context for any non-NULL argument, even for
ldap_set_option(l, LDAP_OPT_X_TLS_NEWCTX, 0). See
https://github.com/openldap/openldap/blob/OPENLDAP_REL_ENG_2_4_45/libraries/libldap/tls2.c#L799-L804

Followup 1

Download message
Subject: Re: (ITS#8805) Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
To: cheimes@redhat.com, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Thu, 15 Feb 2018 16:04:40 +0000
cheimes@redhat.com wrote:
> Full_Name: Christian Heimes
> Version: 2.4.45
> OS: Fedora
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:16b8:607e:f300:6312:6da:8e63:dfa2)
> 
> 
> The documentation for ldap_set_option LDAP_OPT_X_TLS_NEWCTX is wrong or at
least
> misleading. The man page https://linux.die.net/man/3/ldap_set_option
describes
> the option as:
> 
>> Instructs the library to create a new TLS library context. invalue must
be
> const int *. A non-zero value pointed to by invalue tells the library to
create
> a context for a server.
> 
> However tls2 creates a new context for any non-NULL argument, even for
> ldap_set_option(l, LDAP_OPT_X_TLS_NEWCTX, 0). See
> https://github.com/openldap/openldap/blob/OPENLDAP_REL_ENG_2_4_45/libraries/libldap/tls2.c#L799-L804

I see no disagreement between the code and the documentation. Please 
elaborate, otherwise this ITS will be closed.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Subject: Re: (ITS#8805) Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
To: Howard Chu <hyc@symas.com>, openldap-its@OpenLDAP.org
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 15 Feb 2018 17:26:24 +0100
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--xtLU7S4g0jUK8GMHh0QtLLEN50A6OirhP
Content-Type: multipart/mixed; boundary="ImAEehvUF6AyAI2LgcI3vl7LvbpVlLmbd";
 protected-headers="v1"
From: Christian Heimes <cheimes@redhat.com>
To: Howard Chu <hyc@symas.com>, openldap-its@OpenLDAP.org
Message-ID: <1ad5d71c-c2c2-701e-1550-5296c850a51e@redhat.com>
Subject: Re: (ITS#8805) Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
References: <E1emLjU-0005uv-8G@gauss.openldap.net>
 <9e35c40f-d567-5dec-dd5d-085dcd356483@symas.com>
In-Reply-To: <9e35c40f-d567-5dec-dd5d-085dcd356483@symas.com>

--ImAEehvUF6AyAI2LgcI3vl7LvbpVlLmbd
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2018-02-15 17:04, Howard Chu wrote:
> I see no disagreement between the code and the documentation. Please
> elaborate, otherwise this ITS will be closed.

For a non-native speaker, the documentation sounds a bit like
ldap_set_option(l, LDAP_OPT_X_TLS_NEWCTX, 0) does not create a new
context at all because the input value is zero. Could you please mention
that a zero value creates a client context?


--=20
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander


--ImAEehvUF6AyAI2LgcI3vl7LvbpVlLmbd--

--xtLU7S4g0jUK8GMHh0QtLLEN50A6OirhP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEL7+ElqIWjf0BBClLhmhSSSEttokFAlqFtLAACgkQhmhSSSEt
ton6FggAqOSMIaWDSrVLYVQPxhqAQh+HDbinIaxgLPZarYxr0ijth8wPbpdt0f1s
Bgq21a71Qkrrr9joDhb6T3I7ZOs85wsq8mFlHAqciVV2qJGCOFDYd7SOveAyyY6/
PgETKxQ9/S/ei+8NKiRhc0UP2wAvUF8pus7TyJDMao8/EumButO8R8MJWydBOdkh
/5kUuROlo1B9owujmNY9V7tIKUU5to6zj1r05gJXrznP+ex+ZkoJz6Us+PedueRe
uF5/jAibFnLIpk0WRN+DdTl1PqZnXVGHfBaHsVbpH5Wff+yzxgUNwo4zmQB6sCuA
w+82yYr0Lbh243efKYPC+ivRjfs4kg==
=A94C
-----END PGP SIGNATURE-----

--xtLU7S4g0jUK8GMHh0QtLLEN50A6OirhP--



Followup 3

Download message
Subject: Re: (ITS#8805) Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
To: cheimes@redhat.com, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Thu, 15 Feb 2018 16:39:07 +0000
cheimes@redhat.com wrote:
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --xtLU7S4g0jUK8GMHh0QtLLEN50A6OirhP
> Content-Type: multipart/mixed;
boundary="ImAEehvUF6AyAI2LgcI3vl7LvbpVlLmbd";
>   protected-headers="v1"
> From: Christian Heimes <cheimes@redhat.com>
> To: Howard Chu <hyc@symas.com>, openldap-its@OpenLDAP.org
> Message-ID: <1ad5d71c-c2c2-701e-1550-5296c850a51e@redhat.com>
> Subject: Re: (ITS#8805) Documentation for LDAP_OPT_X_TLS_NEWCTX is wrong
> References: <E1emLjU-0005uv-8G@gauss.openldap.net>
>   <9e35c40f-d567-5dec-dd5d-085dcd356483@symas.com>
> In-Reply-To: <9e35c40f-d567-5dec-dd5d-085dcd356483@symas.com>
> 
> --ImAEehvUF6AyAI2LgcI3vl7LvbpVlLmbd
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
> 
> On 2018-02-15 17:04, Howard Chu wrote:
>> I see no disagreement between the code and the documentation. Please
>> elaborate, otherwise this ITS will be closed.
> 
> For a non-native speaker, the documentation sounds a bit like
> ldap_set_option(l, LDAP_OPT_X_TLS_NEWCTX, 0) does not create a new
> context at all because the input value is zero. Could you please mention
> that a zero value creates a client context?

"This option creates a context.
If you specify a 1, it will create a context for a server."

Nothing in these statements implies that it will *not* create a context.

Closing this ITS.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org