On Tue, 12 Aug 2008, Howard Chu wrote: > I've split all of the OpenSSL and GnuTLS-specific code into their own > separate source files, to clean up some of the #ifdef mess that was in > tls.c before. This approach actually allows support for both to be > compiled in at the same time. I'll probably add an LDAP_OPT_X option to > select which implementation to use at runtime. (It might make sense to > make these dynamically loadable modules, but for now I don't want to > make libldap dependent on ltdl/dlopen/whatever.)
Hah. I was going to be submitting an ITS/patch later this week to add an ldap.conf option (TLS_MIN_PROTOCOL) and a slapd.conf option (TLSProtocolMin) for disabling use of either just SSLv2 or both SSLv2 and SSLv3. I guess I'll wait until your changes go in and redo it against the new layout. (My patch only adds this for OpenSSL) > There's one user-visible change: get_option(LDAP_OPT_X_TLS_SSL_CTX) now > returns a pointer to a privately defined structure. For GnuTLS this is > in fact the same behavior as before. For OpenSSL this is a change; it > used to return the actual (SSL *). If this is going to break something > of yours, holler now... Ick. If the meaning of the option is going to change, please change the name at the same time. Philip Guenther
