[389-devel] Re: Please review: OpenLDAP support
Rich Megginson
rmeggins at redhat.com
Wed Jul 8 03:02:47 UTC 2009
Howard Chu wrote:
> Howard Chu wrote:
>>
>>> Message: 1
>>> Date: Mon, 06 Jul 2009 13:20:22 -0600
>>> From: Rich Megginson<rmeggins at redhat.com>
>>
>>> Note - the patch does not contain the diffs for configure nor
>>> Makefile.in
>>> http://rmeggins.fedorapeople.org/0001-OpenLDAP-support.patch
>
> As noted in your patch, the OpenLDAP API doesn't provide any options
> to control SSL session caching. In the past I hacked that into my
> clients by retrieving the OpenSSL context handles and using the
> OpenSSL API directly. Obviously that's not a viable way forward since
> we now have 3 different TLS libraries to deal with. So, we will
> probably be adding a couple set_option() flags for this purpose Real
> Soon Now. If there's anything good or bad about the way MozLDAP
> handles this, let me know what you think...
Actually, the way we do it is bad, which is to disable caching on
outgoing SSL connections. Nelson commented on this in a thread on
mozilla.dev.tech.crypto. I think you use SSL_SetSockPeerID() but I'd
have to look up that thread to be sure.
>
> We'll also be providing a callback for obtaining the password for the
> private key... Again that's something we've ignored because OpenSSL
> has provided its own for so long.
This is tricky - with MozNSS you have to do this before you detach from
the terminal, but after you fork().
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20090707/e2736297/attachment.bin>
More information about the Fedora-directory-devel
mailing list