[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
From: hyc@symas.com
Date: Fri, 18 Dec 2009 20:00:47 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

rmeggins@redhat.com wrote:
>>> I also had to call
>>> SSL_SetURL in order to put the correct hostname in the SSL socket for cert
>>> validation.
>>
>> I explicitly withheld the hostname to force our own cert validation function
>> to be used. The NSS hostname validator's behavior is inconsistent with the
>> LDAP spec.
>>
> That's the tlsm_session_chkhost() function?  The problem is that the
> chkhost function is called too late - NSS attempts to perform the
> verification during the handshake process - by the time
> ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's
> too late - NSS has failed - ldap_int_tls_connect() has returned an error.

That should not happen, since tlsm_bad_cert_handler() causes the bad hostname 
result to be returned as Success. That gives us the chance to check it on our 
own. It worked in my tests before...

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
Next by Date: Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
Index(es):
- Chronological
- Thread