[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: HEADS UP: tls restructuring
On Tue, 12 Aug 2008, Howard Chu wrote:
> I've split all of the OpenSSL and GnuTLS-specific code into their own
> separate source files, to clean up some of the #ifdef mess that was in
> tls.c before. This approach actually allows support for both to be
> compiled in at the same time. I'll probably add an LDAP_OPT_X option to
> select which implementation to use at runtime. (It might make sense to
> make these dynamically loadable modules, but for now I don't want to
> make libldap dependent on ltdl/dlopen/whatever.)
Hah. I was going to be submitting an ITS/patch later this week to add an
ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option
(TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and
SSLv3. I guess I'll wait until your changes go in and redo it against the
new layout.
(My patch only adds this for OpenSSL)
> There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now
> returns a pointer to a privately defined structure. For GnuTLS this is
> in fact the same behavior as before. For OpenSSL this is a change; it
> used to return the actual (SSL *). If this is going to break something
> of yours, holler now...
Ick. If the meaning of the option is going to change, please change the
name at the same time.
Philip Guenther