RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)

["Howard Chu" <hyc@highlandsun.com>]

Title: RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)

-----Original Message-----
From: owner-openldap-devel@OpenLDAP.org [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Prashant Kumar
Sent: Wednesday, October 15, 2003 6:19 AM
To: Howard Chu; 'Kurt D. Zeilenga'
Cc: openldap-devel@OpenLDAP.org
Subject: RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)

Howard,

I don't think doing:

        ldap_pvt_tls_init();
        ldap_pvt_tls_init_def_ctx();
        ldap_get_option(NULL, TLS_CTX, &ctx);

will give the user enough flexibility to do  whatever he wants
unless we fix ldap_start_tls_s because this is the execution
sequence of ldap_start_tls_s:

ldap_start_tls_s->ldap_int_tls_start->ldap_int_tls_connect->alloc_handle
->ldap_pvt_tls_int_def_ctx () which will overwrite whatever the user
has done before.  

 

Not true. ldap_pvt_tls_init_def_ctx() will not overwrite the context if it has already been initialized. If a user calls the sequence I outlined above before calling ldap_start_tls_s() then their customized context will be used. Since the library works this way, I see no reason to provide additional hooks to customize the global TLS context.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support