Re: HEADS UP: tls restructuring

[Philip Guenther <guenther+ldapdev@sendmail.com>]

On Tue, 12 Aug 2008, Howard Chu wrote:
> I've split all of the OpenSSL and GnuTLS-specific code into their own 
> separate source files, to clean up some of the #ifdef mess that was in 
> tls.c before. This approach actually allows support for both to be 
> compiled in at the same time. I'll probably add an LDAP_OPT_X option to 
> select which implementation to use at runtime. (It might make sense to 
> make these dynamically loadable modules, but for now I don't want to 
> make libldap dependent on ltdl/dlopen/whatever.)

Hah.  I was going to be submitting an ITS/patch later this week to add an 
ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option 
(TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and 
SSLv3.  I guess I'll wait until your changes go in and redo it against the 
new layout.

(My patch only adds this for OpenSSL)


> There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now 
> returns a pointer to a privately defined structure. For GnuTLS this is 
> in fact the same behavior as before. For OpenSSL this is a change; it 
> used to return the actual (SSL *). If this is going to break something 
> of yours, holler now...

Ick.  If the meaning of the option is going to change, please change the 
name at the same time.


Philip Guenther