On Sep 22, 2012, at 8:24 AM, michael(a)stroeder.com wrote:
Hallvard Breien Furuseth wrote:
> I wrote:
>> In OpenSSL, SSL_get_peer_certificate().
> ..after getting the SSL* arg with
> ldap_get_option LDAP_OPT_X_TLS_SSL_CTX.
> Which the manpage recommends not doing. At least
> don't meddle with the SSL* more than you have to.
That statement, IIRC, was made mostly because unless you control your build of libldap (or
control which libldap you use), you don't know what TLS implementation lies
Hmm, but then the client has to deal with whether libldap is linked
OpenSSL, libnss or GnuTLS...
Yes. but often that's only one.
Anyways, I see little reason to add cert extraction code in libldap. Most folks who need
this need this for more than one protocols, and it's easier/better for them to use a
common facilities for doing this across all these protocols.
But, hey, if someone wants to write such code for all the supported TLS layers, have at
it. But like most things for non-OpenSSL, your mileage will vary.