[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support

> Thanks for the patch.
> Just blindly #defining HAVE_NSS_INITCONTEXT is no good. Isn't there an NSS 
> version symbol we can check in the preprocessor, to make sure it's 3.12.5 or 
> newer? Otherwise we'll need an autoconf test for the existence of the 
> NSS_InitCOntext() function.
Ok.  I'll change it to check for NSS version >= 3.12.5
> > This allows apps and libraries to initialize NSS from different contexts. 
> I've
> > also cleaned up some of the code around PEM file support.  I also had to
> call
> > SSL_SetURL in order to put the correct hostname in the SSL socket for cert
> > validation.
> I explicitly withheld the hostname to force our own cert validation function 
> to be used. The NSS hostname validator's behavior is inconsistent with the 
> LDAP spec.
That's the tlsm_session_chkhost() function?  The problem is that the 
chkhost function is called too late - NSS attempts to perform the 
verification during the handshake process - by the time 
ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's 
too late - NSS has failed - ldap_int_tls_connect() has returned an error.