[Date Prev][Date Next]
Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
- From: firstname.lastname@example.org
- Date: Fri, 18 Dec 2009 18:33:25 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Thanks for the patch.
> Just blindly #defining HAVE_NSS_INITCONTEXT is no good. Isn't there an NSS
> version symbol we can check in the preprocessor, to make sure it's 3.12.5 or
> newer? Otherwise we'll need an autoconf test for the existence of the
> NSS_InitCOntext() function.
Ok. I'll change it to check for NSS version >= 3.12.5
> > This allows apps and libraries to initialize NSS from different contexts.
> > also cleaned up some of the code around PEM file support. I also had to
> > SSL_SetURL in order to put the correct hostname in the SSL socket for cert
> > validation.
> I explicitly withheld the hostname to force our own cert validation function
> to be used. The NSS hostname validator's behavior is inconsistent with the
> LDAP spec.
That's the tlsm_session_chkhost() function? The problem is that the
chkhost function is called too late - NSS attempts to perform the
verification during the handshake process - by the time
ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's
too late - NSS has failed - ldap_int_tls_connect() has returned an error.