[EMAIL PROTECTED] wrote: > Full_Name: Philip Guenther > Version: > OS: Linux > URL: ftp://ftp.openldap.org/incoming/guenther-080813.patch > Submission from: (NULL) (64.58.1.252) > > > It's time for SSL version 2.0 to die: it has numerous weaknesses and has been > superseded by SSL version 3.0 and TLS version 1.0 for *years*. Indeed, the > LDAP > Start_Tls extended operation is defined by reference to the TLS standard. > > (It could be argued that a client that sends an SSLv2-compatible handshake > after > doing Start_Tls is non-compliant, or at least non-interoperable, as servers > are > only required to support true TLS handshakes.) > > As a first step, here's a patch against the CVS trunk that adds the ability to > set the minimum TLS/SSL protocol from the C API (LDAP_OPT_X_TLS_PROTOCOL_MIN), > the ldap.conf (TLS_PROTOCOL_MIN), and the slapd config > (TLSProtocolMin/olcTLSProtocolMin). Possible settings are: > C API ldap_[sg]et_option() ldap.conf/slapd config > ----------------------------------------------------------- > LDAP_OPT_X_TLS_PROTOCOL_SSLv2 SSLv2 > LDAP_OPT_X_TLS_PROTOCOL_SSLv3 SSLv3 > LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 TLSv1 OR TLSv1.0
Using an option flag for each protocol version seems excessive; it will be a recurring maintenance burden because each new option flag reflects an API change. (GnuTLS claims to already support TLSv1.2.) This should use a single option flag and a numeric or bitfield argument for selecting protocols instead. Since we're talking about minimum settings, it should likely just be an increasing range of numbers. I note that the on-the-wire protocol version is just a 16 bit integer; we could define protocol names that correspond directly to these values. > (1.0, because TLSv1.1 is already published, even though OpenSSL doesn't > support > it yet) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
