[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Forcing SSLv3 with Openldap 2.0.11



Override it in your own code. Do the things that tls.c does to initialize
the default context, but do it in your own application. Once that's done,
use the ldap_set_option call to make the library use your custom context.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: Scott Russell [mailto:lnxgeek@us.ibm.com]
> Sent: Wednesday, October 03, 2001 8:01 PM
> To: Howard Chu
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Forcing SSLv3 with Openldap 2.0.11
>
>
> Howard -
>
> Thanks much. Just so I'm clear on what you're suggesting I do..
>
> Do you mean that I should just change the SSLv23_method() in tls.c and
> rebuild the openldap libs or do you mean I should do my own
> tls_def_ctx over
> rides in the source code of the program I'm working with?
>
> -- Scott
>
> On Wed, Oct 03, 2001 at 07:28:46PM -0700, Howard Chu wrote:
> > Doesn't look like anything you can configure in ldap.conf. The
> only way I
> > can
> > see to do this is to override the tls_def_ctx that the library
> creates. You
> > do this by creating your own context and setting it with
> >
> > 	SSL_CTX *ctx = SSL_CTX_new(SSLv3_method());
> >
> > 		/* ... many other context initializations ... */
> >
> > 	ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, ctx );
> >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Scott Russell
> > > Sent: Wednesday, October 03, 2001 7:12 PM
> > > To: openldap-software@OpenLDAP.org
> > > Subject: Forcing SSLv3 with Openldap 2.0.11
> > >
> > >
> > > How do I force SSLv3 with openldap 2.0.11 libs? It appears
> from looking at
> > > openldap/libraries/libldap/tls.c that SSLv23 is used by default
> > > with no way
> > > to change this.
> > >
> > > I understand that in a perfect world SSLv23 would work but with
> > > the internal
> > > LDAP server, which is arguably broken, SSLv23 fails while SSLv3 works.
> > >
> > > Something I can add to /etc/ldap.conf perhaps?
> > >
> > > Thanks for the help
> > >
>
> --
> Regards,
>  Scott Russell (lnxgeek@us.ibm.com)
>  Linux Technology Center, System Admin, RHCE.
>  T/L 441-9289 / External 919-543-9289
>  http://bzimage.raleigh.ibm.com/webcam
>