[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4422) Client connecting with multiple certificates

Dear Kurt,

thank you for your reply;

Kurt D. Zeilenga wrote:

>I believe the behavior you are seeing is as intended.
>The current version of libldap only supports a single
>client certificate.
Actually, the problem isn't only with the client certificate, but with 
all the parts of the ssl context (i.e. trusted CA certificates as 

You are right that one can create the context from the scratch, and to 
set it to the ldap library via setting the option LDAP_OPT_X_TLS_CTX. 
However, this seems to be a bit useless since the code for creting the 
ssl context already exists within the ldap library.

In fact, it would be satisfactory to set the ldap's default ssl context 
to NULL (ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL)); so the ldap 
library doesn't find the old context, and creates a new one while 
creating the new connection.

However, even this is not possible since LDAP_OPT_X_TLS_CTX is in the 
"/* options which cannot withstand invalue == NULL */ " section of 
options.c source. (Yes, there is still a possibility to call the 
(internal)  ldap_pvt_tls_set_option() function directly, but it doesn't 
seem to be very clean solution).

Is it possible to move the LDAP_OPT_X_TLS_CTX option to the section 
where the NULL is permitted as a correct value?

Thanks, Pavel Rydvan