[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: FW: Segfault with TLS

To: "Howard Chu" <hyc@highlandsun.com>
Subject: Re: FW: Segfault with TLS
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 17 Sep 2001 19:49:14 -0700
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <003501c13fe9$785d6100$0c01a8c0@fiddle.symas.com>

At 07:27 PM 2001-09-17, Howard Chu wrote:
>I have just verified the following bug report. The question is what exactly
>should the fix be?

If ldapsearch was called:
        ldapsearch -H ldaps:///
        ldapsearch -H ldap:// -Z

then ldapsearch we should connect to "localhost" and use
"localhost" for certificate checking.

If ldapsearch was started
        ldapsearch -Z

then we should use the ldap.conf(5) hostname.

The key is we need to check the user specified (whether on command
line or ldap.conf(5)) for the certificate check.

I believe the latter case works, I believe the problem is with
the former.  That is, I think (though I'd need to verify this)
the correct fix is to add:
        if( host == NULL ) host = "localhost";
to ldap_int_tls_start() (just below the present setting of host).

Yes, this will generally cause certificate checks as "localhost".
But trusting localhost would be a bad thing.  Those wanting ease
of use should just not bother with ldaps:// through loopback.

References:
- FW: Segfault with TLS
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: FW: Segfault with TLS
Next by Date: Admin Guide translation
Index(es):
- Chronological
- Thread