[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: tls restructuring

Philip Guenther wrote:
On Tue, 12 Aug 2008, Howard Chu wrote:
I've split all of the OpenSSL and GnuTLS-specific code into their own
separate source files, to clean up some of the #ifdef mess that was in
tls.c before. This approach actually allows support for both to be
compiled in at the same time. I'll probably add an LDAP_OPT_X option to
select which implementation to use at runtime. (It might make sense to
make these dynamically loadable modules, but for now I don't want to
make libldap dependent on ltdl/dlopen/whatever.)

Hah. I was going to be submitting an ITS/patch later this week to add an ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option (TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and SSLv3. I guess I'll wait until your changes go in and redo it against the new layout.

(My patch only adds this for OpenSSL)

Go ahead and submit the patch. I'm still undecided on where to go with my current code.

By the way, this restructuring also allowed me to get Mozilla NSS working. (Barely.) Some more work is still needed on that front.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/