Erwann ABALEA wrote:
2011/7/29 Howard Chuhyc@symas.com: The security argument is good. For my personal use, certificateMatch filter is not used. But I'll need to store X.509 certificates, some containing T61String elements in issuerDN, and retrieve them using more classic search filters &((objectClass=inetOrgPerson)(cn=...)(sn=...)) and get the userCertificate;binary attribute. I found some messages from 2006 telling that certificateMatch were done using OpenSSL. Did you chose to code it differently to support other crypto libraries, such as GnuTLS?
Yes. Once we made the decision to support multiple TLS libraries we obviously needed to refactor, particularly since libraries like GnuTLS were completely broken in their processing of certificate names.