[Date Prev][Date Next]
(ITS#8753) Public key pinning support in libldap
Full_Name: Ondrej Kuznik
Submission from: (NULL) (220.127.116.11)
Some programs might want to pin the server's public key instead of/in addition
to certificate validation. The patch linked implements this option and provides
OpenSSL/GnuTLS support code.
A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string
'hashname/base64_hash_of_public_key'. If a TLS session is already present on the
main connection, it is also checked immediately.
It introduces a dependency on liblutil by depending on the symbol
lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why
or how to fix that yet.