[Date Prev][Date Next]
- To: OpenLDAP Devel <firstname.lastname@example.org>
- Subject: TLS cleanup
- From: Howard Chu <email@example.com>
- Date: Sun, 25 Jan 2009 14:33:37 -0800
- User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1b3pre) Gecko/20090115 SeaMonkey/2.0a1pre Firefox/3.0.3
So, back to the question of libldap's TLS support... The alternate code in
HEAD allows multiple TLS implementations to be used at once. The idea here was
that a single libldap binary would be able to coexist with multiple apps even
if they explicitly used different TLS libraries themselves. In practice I'm
not sure that's so important, since probably few apps are aware enough to even
make that choice. The other downside of this approach is that the meaning of
SSL and SSL_CTX handles in libldap changed (they had to be wrapped so we could
insert a tag identifying which implementation went with which handle).
One possibility here is to preserve the old TLS options for OpenSSL only, and
make them fail on the other implementations, and introduce new TLS options
just for manipulating the generic handles.
Another choice here is to keep the modular layout but still only support one
implementation at a time, chosen at compile time. Then we don't need the
identifying tag in each session and context handle.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/