Re: (ITS#8753) Public key pinning support in libldap
On Tue, Oct 10, 2017 at 10:43:42AM +0000, ondra(a)openldap.org wrote:
URL: https://github.com/mistotebe/openldap/tree/its8753
A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string
'hashname/base64_hash_of_public_key'. If a TLS session is already present on the
main connection, it is also checked immediately.
It introduces a dependency on liblutil by depending on the symbol
lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why
or how to fix that yet.
A new version is now at the same place (see above), it moves the ldif.c
in-place base64 decoding into a separate function and reuses that.
Other changes:
- pin hash algorithm separator changes to ':'
- pin can now be set from the environment
- can now better deal with connection freeing and/or changes to the
global ldap options
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP