[Date Prev][Date Next]
Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)
At 06:40 PM 9/12/00 +0000, firstname.lastname@example.org wrote:
>Full_Name: Michael Weiser
>Version: cvs 20000912
>OS: irix 6.5
>Submission from: (NULL) (126.96.36.199)
>TLS_RANDFILE in ldap.conf and/or ~/ldaprc doesn't make libldap contact the
>egd since a.) the configs are read *after* the RNG is seeded and b.)
>TLS_RANDFILE is marked as user-only. While the former seems to be only an
>oversight the latter may make sense in respect of overall security but is
>bad for setting up a configuration working oob for the users of my irix 6.5
>box. I want to run egd and/or prngd as system-wide entropy gathering daemons
>which all tools connect to automatically.
It wasn't an oversight. It was done purposely as sharing (static)
randfiles is not wise from a security standpoint. If a system
wise source of entropy is available which can be read using read(2),
then it should be configured as the URANDOM_DEVICE.
env CPPFLAGS="-DURANDOM_DEVICE=/tmp/egd/random" ./configure
>I hope the attached patch fixes this although I don't have any idea whether
>and how the relocation of ldap_pvt_tls_init() affects the calls between the
>new and old location. It works for me (tm).
I would think that both TLS and SASL initialization should be done
after scanning ldap.conf/.ldaprc.... so this change appears to be