[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: FW: Segfault with TLS

At 07:27 PM 2001-09-17, Howard Chu wrote:
>I have just verified the following bug report. The question is what exactly
>should the fix be?

If ldapsearch was called:
        ldapsearch -H ldaps:///
        ldapsearch -H ldap:// -Z

then ldapsearch we should connect to "localhost" and use
"localhost" for certificate checking.

If ldapsearch was started
        ldapsearch -Z

then we should use the ldap.conf(5) hostname.

The key is we need to check the user specified (whether on command
line or ldap.conf(5)) for the certificate check.

I believe the latter case works, I believe the problem is with
the former.  That is, I think (though I'd need to verify this)
the correct fix is to add:
        if( host == NULL ) host = "localhost";
to ldap_int_tls_start() (just below the present setting of host).

Yes, this will generally cause certificate checks as "localhost".
But trusting localhost would be a bad thing.  Those wanting ease
of use should just not bother with ldaps:// through loopback.