Re: (ITS#5655) add option for setting minimum TLS/SSL protocol - openldap-bugs

19 Aug 2008


      guenther@sendmail.com wrote:
...
On Fri, 15 Aug 2008, Philip Guenther wrote:
...
...
That said, it's more important to me that *some* option gets in so that I
(and Sendmail) don't have to maintain forever a patch to add it.  If
someone 'official' will make a decision and simply state what the option
should look like in its three forms (C API, ldap.conf, slapd config), I'll
munge the patch to match.
Any opinions?
ldap.conf:
TLS_PROTOCOL_MIN<major>,<minor>
Let's use US convention <major>.<minor>...
...
C:
struct ldap_tls_protocol { unsigned char major, minor; } val;
val.major = 3; val.minor=0;
ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
I would just use an int, and have the caller OR in the appropriate values. You 
could also define a few macros for the currently known versions.
What are the values for TLS1.1, 1.2, etc?
...
?
(I'm running out of time to get _something_ into Sendmail's local copy, at
which point I'll just commit something there and have to leave you guys to
hack whatever you get around into the official repository.)
Philip Guenther
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/