[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS URL extension

To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
Subject: Re: StartTLS URL extension
From: Howard Chu <hyc@symas.com>
Date: Mon, 06 Oct 2008 16:01:57 -0700
Cc: OpenLDAP-devel@openldap.org
In-reply-to: <48EA974A.2040902@rowe-clan.net>
References: <48E97964.6070300@symas.com> <48EA974A.2040902@rowe-clan.net>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b1pre) Gecko/20081004 SeaMonkey/2.0a1pre

William A. Rowe, Jr. wrote:

Howard Chu wrote:

We really ought to have a way to allow clients to make libldap use
StartTLS without having to code their own calls into libldap for that
purpose. I think it would be useful to allow specifying StartTLS in the
extension field of the LDAP URL. Then at least it can be configured into
ldap.conf forgotten about.

The code for ldap_initialize() should look for the URL extension field,
and act on it if StartTLS / 1.3.6.1.4.1.1466.20037 is present.

Any comments?


What would be the syntax and mechanism for defining client certificates
or permitted server CA chains?

The same as currently exists. None of those details are parameters of the actual StartTLS exop so they're not relevant to this discussion.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- StartTLS URL extension
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: StartTLS URL extension
Next by Date: RE24 final testing
Index(es):
- Chronological
- Thread