[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
From: hyc@symas.com
Date: Tue, 19 Aug 2008 23:11:53 GMT

Philip Guenther wrote:
> On Tue, 19 Aug 2008, Howard Chu wrote:
>> guenther@sendmail.com wrote:
> ...
>>> TLS_PROTOCOL_MIN<major>,<minor>
>> Let's use US convention<major>.<minor>...
>
> Ok.
>
>>> C:
>>> struct ldap_tls_protocol { unsigned char major, minor; } val;
>>> val.major = 3; val.minor=0;
>>> ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
>> I would just use an int, and have the caller OR in the appropriate
>> values.
>
> So:
> 	/* force TLS 1.0 or later */
> 	ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3<<  8) + 1);

The set_option interface requires a pointer. So
	min = (3<<8)+1;
	ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &min);

>
>
>> You could also define a few macros for the currently known versions.
>
> Preferences on the format of those macros?
>
> #define LDAP_OPT_X_TLS_PROTOCOL_SSLv2		(2<<  8)
> #define LDAP_OPT_X_TLS_PROTOCOL_SSLv3		(3<<  8)
> #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0		((3<<  8) + 1)
> #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1		((3<<  8) + 2)
> #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2		((3<<  8) + 3)
>
> ?
>
Drop the 'v' and I think it'll be fine

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
Next by Date: Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
Index(es):
- Chronological
- Thread