[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [389-devel] Re: Please review: OpenLDAP support Rich Megginson Tue Jul 07 20:30:08 2009

Howard Chu wrote:
Howard Chu wrote:

Message: 1
Date: Mon, 06 Jul 2009 13:20:22 -0600
From: Rich Megginson<[EMAIL PROTECTED]>

Note - the patch does not contain the diffs for configure nor Makefile.in

As noted in your patch, the OpenLDAP API doesn't provide any options to control SSL session caching. In the past I hacked that into my clients by retrieving the OpenSSL context handles and using the OpenSSL API directly. Obviously that's not a viable way forward since we now have 3 different TLS libraries to deal with. So, we will probably be adding a couple set_option() flags for this purpose Real Soon Now. If there's anything good or bad about the way MozLDAP handles this, let me know what you think...
Actually, the way we do it is bad, which is to disable caching on outgoing SSL connections. Nelson commented on this in a thread on mozilla.dev.tech.crypto. I think you use SSL_SetSockPeerID() but I'd have to look up that thread to be sure.

We'll also be providing a callback for obtaining the password for the private key... Again that's something we've ignored because OpenSSL has provided its own for so long.
This is tricky - with MozNSS you have to do this before you detach from the terminal, but after you fork().
389-devel mailing list