[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support

rmeggins@redhat.com wrote:
>>> I also had to call
>>> SSL_SetURL in order to put the correct hostname in the SSL socket for cert
>>> validation.
>> I explicitly withheld the hostname to force our own cert validation function
>> to be used. The NSS hostname validator's behavior is inconsistent with the
>> LDAP spec.
> That's the tlsm_session_chkhost() function?  The problem is that the
> chkhost function is called too late - NSS attempts to perform the
> verification during the handshake process - by the time
> ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's
> too late - NSS has failed - ldap_int_tls_connect() has returned an error.

That should not happen, since tlsm_bad_cert_handler() causes the bad hostname 
result to be returned as Success. That gives us the chance to check it on our 
own. It worked in my tests before...

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/