Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 20048 invoked from network); 1 Dec 2007 18:08:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Dec 2007 18:08:25 -0000 Received: (qmail 27833 invoked by uid 500); 1 Dec 2007 18:08:12 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 27779 invoked by uid 500); 1 Dec 2007 18:08:12 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 27768 invoked by uid 99); 1 Dec 2007 18:08:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Dec 2007 10:08:12 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of minfrin@sharp.fm designates 64.49.220.200 as permitted sender) Received: from [64.49.220.200] (HELO chandler.sharp.fm) (64.49.220.200) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Dec 2007 18:07:52 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id 6F34AE6D7F; Sat, 1 Dec 2007 12:07:54 -0600 (CST) Received: from 87-194-125-19.bethere.co.uk (87-194-125-19.bethere.co.uk [87.194.125.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by chandler.sharp.fm (Postfix) with ESMTP id A32DFE6D7A; Sat, 1 Dec 2007 12:07:53 -0600 (CST) Message-ID: <4751A2F6.90100@sharp.fm> Date: Sat, 01 Dec 2007 20:07:50 +0200 From: Graham Leggett User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Eric Covener CC: APR Development Subject: Re: [Patch] LDAP SSL support for Tivoli References: <47518637.8020206@sharp.fm> <1404e5910712010838p437eebe9n44a75c07cc863a09@mail.gmail.com> <4751947C.1020906@sharp.fm> <1404e5910712010940s3604476cg73f82e6ce19b9b66@mail.gmail.com> In-Reply-To: <1404e5910712010940s3604476cg73f82e6ce19b9b66@mail.gmail.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020000020203070906030101" X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org This is a cryptographically signed message in MIME format. --------------ms020000020203070906030101 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Eric Covener wrote: > Upon return from apr_ldap_ssl_init(), SSL has not been initialised on > the underlying toolkit. If the entire function, and not just the > setting of certificates is deprecated, we should make that more clear. > > Additionally, it looks like if you "fail" to initialize SSL (native > return code indicating "already initialized" but maybe with different > SSL parameters) in the per-connection context you're going to trigger > a failure in apr_ldap_init() which the program will see unnecessarily > and would have a difficult time coping with.. When I looked at this earlier, I also noticed this wasn't clear. The original LDAP implementation had no "init" concept, you set "global" parameters using ldap_set_option(NULL, ...), and when you were ready, you created an LDAP context with ldap_init(). The Mozilla/Novell toolkits broke this by introducing the ldapssl_client_init() functions and friends, which had to be called at some point during a global initialisation step. APR LDAP tries to hide all SSL init inside the apr_ldap_set_option(NULL, ...) function, following the pattern laid down by OpenLDAP. The toolkits set new frontiers for how inconsistently you you could initialise certificates. Microsoft was the simplest - no certs at all, it is all in the registry. Tivoli is simple: One single global parameter, the path to the CMS database. OpenLDAP was straightforward, paths to each cert, key or CA cert. Then Mozilla came along and specified the various key3.db, cert7.db, etc files. Then, some toolkits set certs globally, others set per connection, some both supported at the same time. Aaargh! I think the "ssl" in apr_ldap_ssl_init() is a misnomer, the function should only be used to fire off truly global and generic initialisation values, ie do nothing for most toolkits. If you want to specify *anything* SSL related, you need to use apr_ldap_set_option(), which is geared up to support the different cert combos possible. This is why the certificate path in the apr_ldap_ssl_init() function is deprecated, as it doesn't support all the possible ways in which SSL can be configured. The LDAP code in httpd, for example, always passes NULL for the cert name to apr_ldap_ssl_init(), and then immediately follows by calling apr_ldap_set_option() to set zero or more certs globally. This second call makes sure that any future SSL is possible, without this call all SSL bets are off. Regards, Graham -- --------------ms020000020203070906030101 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNTCC AvUwggJeoAMCAQICEAxljuBYvPVR3WhH6nkbTPowDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MTAxNDEyMzQyMVoX DTA4MTAxMzEyMzQyMVowXTEQMA4GA1UEBBMHTGVnZ2V0dDEPMA0GA1UEKhMGR3JhaGFtMRcw FQYDVQQDEw5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFycC5m bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLUMqDEkhgiT7ePdkErBVE2tND+ 6C8ElWEOaCSdbAlvwUXgKFzIR7zaD6c1CS2czmBslMwEb3LJHPWjgPN497wSERghkeAa+Fyw WqydJr+6WE1G67wHsg67tmGPAxG0Lf6eKpsiyh+u0ojKk4n0mRZ6HQxu6PqZYzJ2vOrT4gYz uVlz4O8TRhHOXGKqclCTxVOfEQMS3AmKDkdkNKJxgkrXSCDZ3mWs1K7yuZ6f0/30Z6AvseTF N7CWPD7uuf5TvaVd5luOYiprUTl+u+0+CHjG4uiug54FZAyID5N7cMJy6iBRHPfLk4cU+Ksi R99WkanPHb9wVQ2F34S+7yGdwqECAwEAAaMtMCswGwYDVR0RBBQwEoEQbWluZnJpbkBzaGFy cC5mbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAB76lZ2i2DDcVPlrcDWPrGIk mcZSoWm/7HLRvws4+jbZ++bczzUruhm1t410Z8oj95sU5pQ83SoGS3RXAn/+TX0cpgNtx4Sw J+Nfhvey2w1TE/NLlN3n7q0m7Bm4j4+zNKXLjFj6B30Ifce8qHw7l69MSVcKoJiyd8EMM4q8 Dm+wMIIC9TCCAl6gAwIBAgIQDGWO4Fi89VHdaEfqeRtM+jANBgkqhkiG9w0BAQUFADBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDcxMDE0MTIz NDIxWhcNMDgxMDEzMTIzNDIxWjBdMRAwDgYDVQQEEwdMZWdnZXR0MQ8wDQYDVQQqEwZHcmFo YW0xFzAVBgNVBAMTDkdyYWhhbSBMZWdnZXR0MR8wHQYJKoZIhvcNAQkBFhBtaW5mcmluQHNo YXJwLmZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstQyoMSSGCJPt492QSsF UTa00P7oLwSVYQ5oJJ1sCW/BReAoXMhHvNoPpzUJLZzOYGyUzARvcskc9aOA83j3vBIRGCGR 4Br4XLBarJ0mv7pYTUbrvAeyDru2YY8DEbQt/p4qmyLKH67SiMqTifSZFnodDG7o+pljMna8 6tPiBjO5WXPg7xNGEc5cYqpyUJPFU58RAxLcCYoOR2Q0onGCStdIINneZazUrvK5np/T/fRn oC+x5MU3sJY8Pu65/lO9pV3mW45iKmtROX677T4IeMbi6K6DngVkDIgPk3twwnLqIFEc98uT hxT4qyJH31aRqc8dv3BVDYXfhL7vIZ3CoQIDAQABoy0wKzAbBgNVHREEFDASgRBtaW5mcmlu QHNoYXJwLmZtMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHvqVnaLYMNxU+Wtw NY+sYiSZxlKhab/sctG/Czj6Ntn75tzPNSu6GbW3jXRnyiP3mxTmlDzdKgZLdFcCf/5NfRym A23HhLAn41+G97LbDVMT80uU3efurSbsGbiPj7M0pcuMWPoHfQh9x7yofDuXr0xJVwqgmLJ3 wQwzirwOb7AwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEAxljuBYvPVR3WhH6nkb TPowCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDcxMjAxMTgwNzUwWjAjBgkqhkiG9w0BCQQxFgQU+8O/XtV7UJ2PB8DI6dO7Xa8I 8O0wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAMZY7gWLz1Ud1o R+p5G0z6MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAhAMZY7gWLz1Ud1oR+p5G0z6MA0GCSqGSIb3DQEBAQUABIIB AEggJXhRfZDs+P517roiQa+snYpxqveqLMcV+0IgiNi4SAHEVLJzio8kXlLJRS/2I1CuLu7j q+pdw98zcEuHTVNV3u81tCtbZiWqH669DYHMxHkD8PR43Q8TpLdRVwauReSscrr4HRRaHpP3 zdZkbgi474D+Mnis0nK5Q9wXyPqcziFO11tfNBgP0a8rfq4NUx8xGM3eFcIHrqS5IilJLlDE bMrqutTeYck67AOeTsuluvcQ15sC0Ma/dXkoJA9bk+7U36bk6FPIHfSyD9ja1jxe1K8aMX2E PFTKPnhOS9U3XGm+AcrePK4nTYM8eC4GeqzdFN08AlWhh5BhXpwB8vAAAAAAAAA= --------------ms020000020203070906030101--