[Date Prev][Date Next]
Re: FW: Segfault with TLS
At 07:27 PM 2001-09-17, Howard Chu wrote:
>I have just verified the following bug report. The question is what exactly
>should the fix be?
If ldapsearch was called:
ldapsearch -H ldaps:///
ldapsearch -H ldap:// -Z
then ldapsearch we should connect to "localhost" and use
"localhost" for certificate checking.
If ldapsearch was started
then we should use the ldap.conf(5) hostname.
The key is we need to check the user specified (whether on command
line or ldap.conf(5)) for the certificate check.
I believe the latter case works, I believe the problem is with
the former. That is, I think (though I'd need to verify this)
the correct fix is to add:
if( host == NULL ) host = "localhost";
to ldap_int_tls_start() (just below the present setting of host).
Yes, this will generally cause certificate checks as "localhost".
But trusting localhost would be a bad thing. Those wanting ease
of use should just not bother with ldaps:// through loopback.