[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support

rmeggins@redhat.com wrote:
> Full_Name: Richard Megginson
> Version: 2.4.20
> OS: Fedora 11
> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.20-tls_m_c-InitContext-PEM-20091218.patch
> Submission from: (NULL) (
> This patch adds support for the new NSS_InitContext() API (new in NSS 3.12.5).

Thanks for the patch.

Just blindly #defining HAVE_NSS_INITCONTEXT is no good. Isn't there an NSS 
version symbol we can check in the preprocessor, to make sure it's 3.12.5 or 
newer? Otherwise we'll need an autoconf test for the existence of the 
NSS_InitCOntext() function.

> This allows apps and libraries to initialize NSS from different contexts.  I've
> also cleaned up some of the code around PEM file support.  I also had to call
> SSL_SetURL in order to put the correct hostname in the SSL socket for cert
> validation.

I explicitly withheld the hostname to force our own cert validation function 
to be used. The NSS hostname validator's behavior is inconsistent with the 
LDAP spec.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/