[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4475) libldap/tls.c uses static variables for TLS information

Full_Name: Alan DeKok
Version: current
OS: Linux
Submission from: (NULL) (



static int  tls_opt_trace = 1;
static char *tls_opt_certfile = NULL;
static char *tls_opt_keyfile = NULL;
static char *tls_opt_dhfile = NULL;
static char *tls_opt_cacertfile = NULL;
static char *tls_opt_cacertdir = NULL;
static int  tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;

These variables should be tied to the LDAP* pointer that's returned to the
in ldap_initialize().

The effect of this bug is that applications using libldap can have a TLS
connection open to only one LDAP server at a time.  While this works for
most applications, FreeRADIUS (www.freeradius.org) can have multiple long-lived
connections open to multiple LDAP servers.

This bug means that only one of those connections can use certificates, OR
all of the connections must use the same cacerts.  This restriction causes
problems for administrators who wisth to use different certificates for each
LDAP server.