[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4475) libldap/tls.c uses static variables for TLS information
I agree this is a problem, it's been noted on -devel once or twice as
well. Not sure if this will get fixed in 2.3 or will have to wait for
2.4, most likely the latter.
aland@freeradius.org wrote:
> Full_Name: Alan DeKok
> Version: current
> OS: Linux
> URL:
> Submission from: (NULL) (205.158.171.199)
>
>
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?rev=1.133&hideattic=1&sortbydate=0
>
> says:
>
> ...
> static int tls_opt_trace = 1;
> static char *tls_opt_certfile = NULL;
> static char *tls_opt_keyfile = NULL;
> static char *tls_opt_dhfile = NULL;
> static char *tls_opt_cacertfile = NULL;
> static char *tls_opt_cacertdir = NULL;
> static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
> ...
>
> These variables should be tied to the LDAP* pointer that's returned to the
> caller
> in ldap_initialize().
>
> The effect of this bug is that applications using libldap can have a TLS
> connection open to only one LDAP server at a time. While this works for
> most applications, FreeRADIUS (www.freeradius.org) can have multiple long-lived
> connections open to multiple LDAP servers.
>
> This bug means that only one of those connections can use certificates, OR
> all of the connections must use the same cacerts. This restriction causes
> problems for administrators who wisth to use different certificates for each
> LDAP server.
>
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/