[Date Prev][Date Next]
Re: (ITS#4475) libldap/tls.c uses static variables for TLS information
I agree this is a problem, it's been noted on -devel once or twice as
well. Not sure if this will get fixed in 2.3 or will have to wait for
2.4, most likely the latter.
> Full_Name: Alan DeKok
> Version: current
> OS: Linux
> Submission from: (NULL) (18.104.22.168)
> static int tls_opt_trace = 1;
> static char *tls_opt_certfile = NULL;
> static char *tls_opt_keyfile = NULL;
> static char *tls_opt_dhfile = NULL;
> static char *tls_opt_cacertfile = NULL;
> static char *tls_opt_cacertdir = NULL;
> static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
> These variables should be tied to the LDAP* pointer that's returned to the
> in ldap_initialize().
> The effect of this bug is that applications using libldap can have a TLS
> connection open to only one LDAP server at a time. While this works for
> most applications, FreeRADIUS (www.freeradius.org) can have multiple long-lived
> connections open to multiple LDAP servers.
> This bug means that only one of those connections can use certificates, OR
> all of the connections must use the same cacerts. This restriction causes
> problems for administrators who wisth to use different certificates for each
> LDAP server.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/