Re: [389-devel] Re: Please review: OpenLDAP support

Howard Chu wrote:
> Howard Chu wrote:
> > > Message: 1
> > > Date: Mon, 06 Jul 2009 13:20:22 -0600
> > > From: Rich Megginson<[EMAIL PROTECTED]>
> >
> > > Note - the patch does not contain the diffs for configure nor 
> > > Makefile.in
> > > http://rmeggins.fedorapeople.org/0001-OpenLDAP-support.patch
>
> As noted in your patch, the OpenLDAP API doesn't provide any options 
> to control SSL session caching. In the past I hacked that into my 
> clients by retrieving the OpenSSL context handles and using the 
> OpenSSL API directly. Obviously that's not a viable way forward since 
> we now have 3 different TLS libraries to deal with. So, we will 
> probably be adding a couple set_option() flags for this purpose Real 
> Soon Now. If there's anything good or bad about the way MozLDAP 
> handles this, let me know what you think...
Actually, the way we do it is bad, which is to disable caching on 
outgoing SSL connections.  Nelson commented on this in a thread on 
mozilla.dev.tech.crypto.  I think you use SSL_SetSockPeerID() but I'd 
have to look up that thread to be sure.
> We'll also be providing a callback for obtaining the password for the 
> private key... Again that's something we've ignored because OpenSSL 
> has provided its own for so long.
This is tricky - with MozNSS you have to do this before you detach from 
the terminal, but after you fork().
--
389-devel mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/fedora-directory-devel