[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8753) Public key pinning support in libldap

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8753) Public key pinning support in libldap
From: ondra@mistotebe.net
Date: Tue, 07 Nov 2017 18:44:41 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Tue, Oct 10, 2017 at 10:43:42AM +0000, ondra@openldap.org wrote:
> URL: https://github.com/mistotebe/openldap/tree/its8753
> 
> A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string
> 'hashname/base64_hash_of_public_key'. If a TLS session is already present on the
> main connection, it is also checked immediately.
> 
> It introduces a dependency on liblutil by depending on the symbol
> lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why
> or how to fix that yet.

A new version is now at the same place (see above), it moves the ldif.c
in-place base64 decoding into a separate function and reuses that.

Other changes:
- pin hash algorithm separator changes to ':'
- pin can now be set from the environment
- can now better deal with connection freeing and/or changes to the
  global ldap options

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: (ITS#8770) dsaschema seg faults
Next by Date: Re: (ITS#8461) Unable to import LDIF from back-hdb DB to back-mdb db
Index(es):
- Chronological
- Thread