I've split all of the OpenSSL and GnuTLS-specific code into their own separate source files, to clean up some of the #ifdef mess that was in tls.c before. This approach actually allows support for both to be compiled in at the same time. I'll probably add an LDAP_OPT_X option to select which implementation to use at runtime. (It might make sense to make these dynamically loadable modules, but for now I don't want to make libldap dependent on ltdl/dlopen/whatever.)
I have not committed these changes yet. Probably will in the next day or two unless there are objections.
There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now returns a pointer to a privately defined structure. For GnuTLS this is in fact the same behavior as before. For OpenSSL this is a change; it used to return the actual (SSL *). If this is going to break something of yours, holler now...
On Tue, 12 Aug 2008, Howard Chu wrote:
I've split all of the OpenSSL and GnuTLS-specific code into their own separate source files, to clean up some of the #ifdef mess that was in tls.c before. This approach actually allows support for both to be compiled in at the same time. I'll probably add an LDAP_OPT_X option to select which implementation to use at runtime. (It might make sense to make these dynamically loadable modules, but for now I don't want to make libldap dependent on ltdl/dlopen/whatever.)
Hah. I was going to be submitting an ITS/patch later this week to add an ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option (TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and SSLv3. I guess I'll wait until your changes go in and redo it against the new layout.
(My patch only adds this for OpenSSL)
There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now returns a pointer to a privately defined structure. For GnuTLS this is in fact the same behavior as before. For OpenSSL this is a change; it used to return the actual (SSL *). If this is going to break something of yours, holler now...
Ick. If the meaning of the option is going to change, please change the name at the same time.
Philip Guenther
Philip Guenther wrote:
On Tue, 12 Aug 2008, Howard Chu wrote:
I've split all of the OpenSSL and GnuTLS-specific code into their own separate source files, to clean up some of the #ifdef mess that was in tls.c before. This approach actually allows support for both to be compiled in at the same time. I'll probably add an LDAP_OPT_X option to select which implementation to use at runtime. (It might make sense to make these dynamically loadable modules, but for now I don't want to make libldap dependent on ltdl/dlopen/whatever.)
Hah. I was going to be submitting an ITS/patch later this week to add an ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option (TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and SSLv3. I guess I'll wait until your changes go in and redo it against the new layout.
(My patch only adds this for OpenSSL)
GnuTLS doesn't implement SSLv2, so it's kind of a moot point there.
There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now returns a pointer to a privately defined structure. For GnuTLS this is in fact the same behavior as before. For OpenSSL this is a change; it used to return the actual (SSL *). If this is going to break something of yours, holler now...
Ick. If the meaning of the option is going to change, please change the name at the same time.
Yeah, it's pretty much ugly all around.
It may be best to reserve the old options exclusively for OpenSSL, and introduce new options for the generic/private structure. This means code that doesn't expect libldap to be built with GnuTLS will get failure results on those options in that situation.
That's also ugly, because there's a lot of code out there that doesn't care what the return structure is, because it's only being stored to be fed back into libldap later...
On Tue, 12 Aug 2008, Howard Chu wrote:
Philip Guenther wrote:
...
Hah. I was going to be submitting an ITS/patch later this week to add an ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option
Typo. That should have been "TLS_PROTOCOL_MIN", with C option of LDAP_OPT_X_TLS_PROTOCOL_MIN
(My patch only adds this for OpenSSL)
GnuTLS doesn't implement SSLv2, so it's kind of a moot point there.
Well, would be nice to support disabling SSLv3 and require TLSv1 in case the day comes that someone finds an actual attack on the MAC used in the SSLv3 finish message.
There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now returns a pointer to a privately defined structure. For GnuTLS this is in fact the same behavior as before. For OpenSSL this is a change; it used to return the actual (SSL *). If this is going to break something of yours, holler now...
Ick. If the meaning of the option is going to change, please change the name at the same time.
Yeah, it's pretty much ugly all around.
It may be best to reserve the old options exclusively for OpenSSL, and introduce new options for the generic/private structure. This means code that doesn't expect libldap to be built with GnuTLS will get failure results on those options in that situation.
That's also ugly, because there's a lot of code out there that doesn't care what the return structure is, because it's only being stored to be fed back into libldap later...
Wouldn't that sort of code be using LDAP_OPT_X_TLS_CTX instead of LDAP_OPT_X_TLS_SSL_CTX, as the latter can't be used with ldap_set_option(). LDAP_OPT_X_TLS_SSL_CTX could stay OpenSSL only and LDAP_OPT_X_TLS_CTX could be the 'opaque structure' one.
Philip Guenther
Philip Guenther wrote:
On Tue, 12 Aug 2008, Howard Chu wrote:
I've split all of the OpenSSL and GnuTLS-specific code into their own separate source files, to clean up some of the #ifdef mess that was in tls.c before. This approach actually allows support for both to be compiled in at the same time. I'll probably add an LDAP_OPT_X option to select which implementation to use at runtime. (It might make sense to make these dynamically loadable modules, but for now I don't want to make libldap dependent on ltdl/dlopen/whatever.)
Hah. I was going to be submitting an ITS/patch later this week to add an ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option (TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and SSLv3. I guess I'll wait until your changes go in and redo it against the new layout.
(My patch only adds this for OpenSSL)
Go ahead and submit the patch. I'm still undecided on where to go with my current code.
By the way, this restructuring also allowed me to get Mozilla NSS working. (Barely.) Some more work is still needed on that front.
-
Howard Chu -
Philip Guenther