Re: (ITS#6432) PATCH: MozNSS crypto (tls_m.c) - support InitContext, improved PEM support - openldap-bugs

18 Dec 2009


      rmeggins@redhat.com wrote:
...
...
...
I also had to call
SSL_SetURL in order to put the correct hostname in the SSL socket for cert
validation.
I explicitly withheld the hostname to force our own cert validation function
to be used. The NSS hostname validator's behavior is inconsistent with the
LDAP spec.
That's the tlsm_session_chkhost() function?  The problem is that the
chkhost function is called too late - NSS attempts to perform the
verification during the handshake process - by the time
ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's
too late - NSS has failed - ldap_int_tls_connect() has returned an error.
That should not happen, since tlsm_bad_cert_handler() causes the bad hostname 
result to be returned as Success. That gives us the chance to check it on our 
own. It worked in my tests before...
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/