[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: next release

To: Michael Ströder <michael@stroeder.com>, "OpenLDAP-devel@openldap.org" <OpenLDAP-devel@openldap.org>
Subject: Re: next release
From: Howard Chu <hyc@symas.com>
Date: Mon, 09 Sep 2013 11:13:51 -0700
In-reply-to: <522E00D5.20906@stroeder.com>
References: <522DF9C1.7080701@symas.com> <522E00D5.20906@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22a1

Michael Ströder wrote:

Howard Chu wrote:

A lot of my recent commits are actually intended for OpenLDAP 2.5. A few of
the recent TLS-related changes added to the libldap API, so one way or another
they will require a library version bump. The question is whether these
changes should go into the next 2.4 release:
     channel binding support
     OpenSSL elliptic curve support
     logging tls version/cipher info


Currently I'm not keen on elliptic curves.

Agreed. They seem like a trap, frankly. Especially since it's already knownthat there's a flaw in Dual_EC_DRBG whose very existence is due to the NSA.

Channel binding is interesting but AFAICS current implementations of
SCRAM-SHA-1 still require the userPassword to be in clear-text. So this is not
urgent for now.

The Cyrus-SASL implementation actually looks for authpassword too, in whichcase it can use a prehashed password as in RFC5803. A bit of a shame that theydon't support {scheme}-prefixed userPassword values, as RFC2307 uses.

But I'd like to see better support soon for getting tls version/cipher info in
the logs (ITS#7683). This is much needed to evaluate a certain server deployment.


That should be no problem.

Furthermore also important is more information retrievable by the client:

1. I re-new my feature request "Retrieve LDAP server cert" (ITS#7398). Another
reason for this feature is e.g. client-side cert pinning or similar.


Will look into it.

2. I'd also like to see a LDAP option for retrieving the actually negotiated
tls version/cipher info via ldap_get_option(). I know of
LDAP_OPT_X_TLS_CIPHER_SUITE but a client may enable different features based
on cipher actually negotiated.

Currently these are provided via two new ldap_pvt_tls_get_ functions. (It wasjust easier this way, since slapd doesn't have an LDAP* session handle.) Isuppose for the client side we can provide them via ldap_get_option() as well,but the underlying ldap_pvt functions will be there anyway.

Ciao, Michael.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- next release
  - From: Howard Chu <hyc@symas.com>
- Re: next release
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: next release
Next by Date: Re: next release
Index(es):
- Chronological
- Thread