[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

guenther@sendmail.com wrote:
> On Fri, 15 Aug 2008, Philip Guenther wrote:
> ...
>> That said, it's more important to me that *some* option gets in so that I
>> (and Sendmail) don't have to maintain forever a patch to add it.  If
>> someone 'official' will make a decision and simply state what the option
>> should look like in its three forms (C API, ldap.conf, slapd config), I'll
>> munge the patch to match.
> Any opinions?
> ldap.conf:
> TLS_PROTOCOL_MIN<major>,<minor>

Let's use US convention <major>.<minor>...

> C:
> struct ldap_tls_protocol { unsigned char major, minor; } val;
> val.major = 3; val.minor=0;
> ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);

I would just use an int, and have the caller OR in the appropriate values. You 
could also define a few macros for the currently known versions.

What are the values for TLS1.1, 1.2, etc?
> ?
> (I'm running out of time to get _something_ into Sendmail's local copy, at
> which point I'll just commit something there and have to leave you guys to
> hack whatever you get around into the official repository.)
> Philip Guenther

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/