[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support
- From: hyc@symas.com
- Date: Fri, 18 Dec 2009 20:00:47 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
rmeggins@redhat.com wrote:
>>> I also had to call
>>> SSL_SetURL in order to put the correct hostname in the SSL socket for cert
>>> validation.
>>
>> I explicitly withheld the hostname to force our own cert validation function
>> to be used. The NSS hostname validator's behavior is inconsistent with the
>> LDAP spec.
>>
> That's the tlsm_session_chkhost() function? The problem is that the
> chkhost function is called too late - NSS attempts to perform the
> verification during the handshake process - by the time
> ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's
> too late - NSS has failed - ldap_int_tls_connect() has returned an error.
That should not happen, since tlsm_bad_cert_handler() causes the bad hostname
result to be returned as Success. That gives us the chance to check it on our
own. It worked in my tests before...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/