Following our discussion over cyrus-sasl PR 601 , I worked out a
new wip patch:
It changes the sasl channel-binding to be passed optionally (none by
default), controlled via ldap.conf / slapd.conf, and adds
"tls-server-end-point" binding type which is compatible with Windows.
In addition, I noticed the current "tls-unique" implementation in
openldap doesn't pass the prefix of the channel-binding as defined in
RFC 5056, quote:
Specifications of channel bindings for any secure channels MUST
provide for a single, canonical octet string encoding of the
channel bindings. Under this framework, channel bindings MUST
start with the channel binding unique prefix followed by a colon
So I fixed that too, by adding "tls-unique:" prefix as per RFC 5929
registration. Note that this won't be compatible with older versions
of openldap (say for GS2 users, if any), so it is another reason to
not send any bindings by default, to avoid mismatches.
I've only tested the openssl client backend code so far (on top of
cyrus-sasl PR 601), the rest is pretty much pseudo code for now. I
plan to work out the other backends, and add some unit-tests showing
the expected binding are being passed by both client and server (tips
and help welcome).
Thanks for this. Would be nice to get other testers' eyes on it.
Don't spend any time on the MozNSS backend, we are removing it.
-- Howard Chu
CTO, Symas Corp.