Howard Chu wrote: > A lot of my recent commits are actually intended for OpenLDAP 2.5. A few of > the recent TLS-related changes added to the libldap API, so one way or another > they will require a library version bump. The question is whether these > changes should go into the next 2.4 release: > channel binding support > OpenSSL elliptic curve support > logging tls version/cipher info Currently I'm not keen on elliptic curves. Channel binding is interesting but AFAICS current implementations of SCRAM-SHA-1 still require the userPassword to be in clear-text. So this is not urgent for now. But I'd like to see better support soon for getting tls version/cipher info in the logs (ITS#7683). This is much needed to evaluate a certain server deployment. Furthermore also important is more information retrievable by the client: 1. I re-new my feature request "Retrieve LDAP server cert" (ITS#7398). Another reason for this feature is e.g. client-side cert pinning or similar. 2. I'd also like to see a LDAP option for retrieving the actually negotiated tls version/cipher info via ldap_get_option(). I know of LDAP_OPT_X_TLS_CIPHER_SUITE but a client may enable different features based on cipher actually negotiated. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature