Yes, that's exactly what I suspect it to me. At one time I had a URL to a nice techical writeup of the problem, which bit us trying to use PHP to connect to the IBM product. Later I read somewhere that it was a problem for the Microsoft product but I have not tested this directly.
There was an "ignore" bit in the OpenSSL API and I think I traced code through OpenLDAP that would pass "options" it didn't know about down to OpenSSL, but I never got a chance to try it, we eventually dropped PHP and started doing things in Perl.
Vadim Fedukovich wrote:
On Wed, Sep 03, 2003 at 11:46:30AM -0400, Charles B Cranston wrote:
Sean McKay wrote:
I was not able to get the LDAPS server to respond to the query so out of despiration, I thought I'd try HTTPS -- if I remember right, I think Microsoft uses a non-standard for LDAPS that I can't remember right now.
I am aware of one incompatability in the LDAP world. This causes OpenLDAP to be incompatable with both the IBM Directory Server and I believe with Microsoft as well. This is due to a modification to the way that LDAP does encoding to thwart a possible attack method, unfortunately, neither of these products interworks with the thwart.
Interestingly enough, the Perl Net::LDAPS works fine with EITHER kind of server. It is totally written in Perl so does not use any of these libraries.
You might try to see if you can set a bit in OpenLDAP that passes through to OpenSSL that says "don't implement the thwart". I had a conjecture that this might work (I was working in PHP at the time) but never had a chance to test it out.
But there is clearly an incompatability, and we had to do local code to make the Apache SSL stuff work with a "special library" IBM donated to us.
I might be able to post a URL for a technical explanation if anybody is interested in seeing it.
yes please. Is it an "empty fragment" counter-measure introduced by OpenSSL and not yet widely implemented elsewhere?
regards, Vadim
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
