[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8753) Public key pinning support in libldap

Full_Name: Ondrej Kuznik
Version: master
URL: https://github.com/mistotebe/openldap/tree/its8753
Submission from: (NULL) (

Some programs might want to pin the server's public key instead of/in addition
to certificate validation. The patch linked implements this option and provides
OpenSSL/GnuTLS support code.

A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string
'hashname/base64_hash_of_public_key'. If a TLS session is already present on the
main connection, it is also checked immediately.

It introduces a dependency on liblutil by depending on the symbol
lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why
or how to fix that yet.