[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Channel bindings

To: Howard Chu <hyc@symas.com>
Subject: Re: Channel bindings
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 22 Nov 2011 12:53:05 +0100
Cc: "OpenLDAP-devel@openldap.org" <OpenLDAP-devel@openldap.org>
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1321962796; l=1196; s=domk; d=stroeder.de; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:CC:To:MIME-Version:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=/R3B5PxKmFytETJ6+dHw/pGhFcs=; b=nw9a8InDqMcM/8VNGe0b0MCabZxJwvTh9KcRJybiAeLkNU4r5kntSlK4l0XyeP1DTcT oR2iHFVFFZOBCJfj3r4bdtHEEcRbXzqX2Z4zR/1L6l9osK3TALMkrxfrMZmT4301e/i3O kUfq+Uaob4TIbetgVKzFooTW3DDj86kfyPE=
In-reply-to: <4ECB7A0D.8030909@symas.com>
References: <4ECAF67C.4090006@symas.com> <4ECB665B.9030206@stroeder.com> <4ECB7A0D.8030909@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110928 Firefox/7.0.1 SeaMonkey/2.4.1

Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Now that Cyrus SASL 2.1.25 is out with channel binding support, we should be
>>> looking into adding the hooks needed to use it. I believe what we want to
>>> expose is an ldap_get_option(ld, LDAP_OPT_X_TLS_BINDING,&foo) to retrieve the
>>> tls-unique binding data from the underlying TLS session. Then we pass this
>>> into SASL using sasl_setprop(ctx, SASL_CHANNEL_BINDING, foo). The actual
>>> ldap_get_option() code will have to be added for each TLS implementation.
>>
>> How can use it from python-ldap? python-ldap is mainly a wrapper around the
>> OpenLDAP client libs. Everything which can be done within C has to be exposed
>> in this wrapper module. I guess wrapper modules for other scripting languages
>> have the same requirements.
> 
> Possibly it should just be set implicitly by the sasl_interactive_bind APIs,
> so clients don't need to do anything new at all.

Hmm, I'd like to have control over that within a Python application. Because
there might be interop issues with broken servers where the client wants to
turn it off or massage the tls-unique binding data or...

Ciao, Michael.

References:
- Channel bindings
  - From: Howard Chu <hyc@symas.com>
- Re: Channel bindings
  - From: Michael Ströder <michael@stroeder.com>
- Re: Channel bindings
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Channel bindings
Next by Date: RE24 testing call (2.4.27 official call #3)
Index(es):
- Chronological
- Thread