[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8753) Public key pinning support in libldap

On Tue, Oct 10, 2017 at 10:43:42AM +0000, ondra@openldap.org wrote:
> URL: https://github.com/mistotebe/openldap/tree/its8753
> A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string
> 'hashname/base64_hash_of_public_key'. If a TLS session is already present on the
> main connection, it is also checked immediately.
> It introduces a dependency on liblutil by depending on the symbol
> lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why
> or how to fix that yet.

A new version is now at the same place (see above), it moves the ldif.c
in-place base64 decoding into a separate function and reuses that.

Other changes:
- pin hash algorithm separator changes to ':'
- pin can now be set from the environment
- can now better deal with connection freeing and/or changes to the
  global ldap options

OndÅ?ej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP