[Date Prev][Date Next]
Re: (ITS#7240) [PATCH] MozNSS: skip hostname check if peer certificate was not requested
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7240) [PATCH] MozNSS: skip hostname check if peer certificate was not requested
- From: firstname.lastname@example.org
- Date: Wed, 18 Apr 2012 09:13:09 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Jan Vcelak wrote:
>> Sounds like a simple sequencing bug then. Just initialize the global
>> before the first ldap_initialize() call.
> Sudo parses the options in config file and stores them in a table:
> This table is then iterated and all options are being set. The
> problem is that some options are set with LDAP handle provided
> and some are not. This means that the handle has to be created
> before. The change proposed by you would require the change of
> this well-arranged and transparent concept.
"Elegance" of code does not make it less wrong.
The config is simply driven as a list. They can very easily fix this so that
sudo_ldap_set_options() is called twice, first with a NULL ld and only the
non-connection-oriented parameters, then create the LDAP handle and call again
to set the connection-oriented parameters.
> It can be a sequencing bug, but this particular situation is not
> described anywhere.
Perhaps that should be raised as a separate doc bug then. Global options are
copied to a handle at the time the handle is created. Any options not
explicitly set globally at that time are set to their default value.
> And OpenSSL has a different behavior. My patch
> updates Mozilla NSS backend to behave the same as OpenSSL backend.
> I still think this should be fixed in OpenLDAP rather than in sudo.
No. Your patch fixes one possible wrong outcome, but the sudo approach is
still fundamentally wrong and if we only patch this one instance, someone else
in the future is bound to trip over the sequencing problem again. Fix the
right bug, otherwise you will have to keep fixing the wrong bugs over and over
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/