[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hooks for handling SSL/TLS session etc in application

To: Leif Thuresson <leif.thuresson@tfstech.com>
Subject: Re: Hooks for handling SSL/TLS session etc in application
From: Howard Chu <hyc@symas.com>
Date: Mon, 22 Nov 2004 07:35:27 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <4D12E2576F.03040019TFSDVMQV@tfstech.com>
References: <4D12E2576F.03040019TFSDVMQV@tfstech.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

Leif Thuresson wrote:

I want to write and LDAP client that use TLS and have an external session cache
that are preserved between program invocations. When I looked at the TLS module
source I didn't find any support for hooking in external routines for session management
which means I would have to modify the OpenLDAP  lib source (something that I really would like
to avoid since it would be a pain every time I want to upgrade the library)
After some searching on the web I found a discussion with the OpenLDAP developers from
2002 about adding possibilities for external session handling (http://www.openldap.org/lists/openldap-devel/200209/msg00072.html),
but nothing after that. Does anyone know what the current status is on this issue ?

I guess it got dropped. The library now sets the session ID, and OpenSSL defaults to server session caching, so caching is automatically supported on slapd. But no callback hooks were ever implemented to allow enabling or selecting a session on the client side. Feel free to submit a patch to the ITS with this functionality.

Currently you can retrieve the session from an existing connection:
   ldap_get_option( ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl );

From here you can retrieve the session handle:
   session = SSL_get1_session( ssl );

But I believe this only works if you already enabled client side session caching in the SSL_CTX, and that is not enabled by default. You can explicitly setup your own SSL_CTX and tell libldap to use it with ldap_set_option( NULL, LDAP_OPT_X_TLS_CTX, ssl_ctx );

Otherwise, the only way to affect libldap's default ssl_ctx ( tls_def_ctx ) is to have it make a TLS connection, retrieve the ssl_ctx, enable caching, and then the *next* TLS connection will have caching enabled.

We could make this less clumsy by having tls_get_option initialize the tls_def_ctx if you try to retrieve it and it hasn't been initialized yet.

But we still need to add a callback to be triggered on creation of a new SSL handle.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Hooks for handling SSL/TLS session etc in application
  - From: Howard Chu <hyc@symas.com>

References:
- Hooks for handling SSL/TLS session etc in application
  - From: Leif Thuresson <leif.thuresson@tfstech.com>

Prev by Date: RE: openLDAP Logfile...
Next by Date: RE: openLDAP Logfile...
Index(es):
- Chronological
- Thread