Menu
▾
▴
start_tls
|
From: Graham B. <gb...@po...> - 2001-07-05 18:59:18
|
On Thu, Jul 05, 2001 at 12:00:12PM +0100, Chris Ridd wrote:
> > OK, I have commited the changes to CVS, please check that I have not
> > broken Net::LDAPS
>
> Minor damage: you need to create an IO::Socket::SSL instead of an
> IO::Socket::INET in the new _connect method in LDAPS.pm :-)
Whoops :)
> Not quite. You need to issue an extended LDAP operation to indicate you're
> going to start the TLS handshake, so it needs to be something like this:
>
> sub startTLS {
I would rather stick to the same name convention as the rest of the module
and have start_tls
> my $ldap = shift;
> my $args = &_options;
> if ($ldap->version < 3) {
> require Carp;
> Carp::croak("StartTLS not supported before LDAPv3");
> }
> require Net::LDAP::Extension;
> my $mesg = Net::LDAP::Extension->new($ldap);
> $mesg->encode(
> extendedReq => {
> requestName => "1.3.6.1.4.1.1466.20037",
> }
> );
> $ldap->_sendmesg($mesg);
> $mesg->sync();
> if ($mesg->code) {
> require Carp;
> Carp::croak("LDAP_OPERATIONS_ERROR $@");
> }
> require IO::Socket::SSL;
> IO::Socket::SSL::context_init($args);
> IO::Socket::SSL::socketToSSL($ldap->socket);
> }
>
> *However* that returns an I/O error when you next try to call _sendmesg on
> the socket, even though the socket looks OK:
>
> DB<1> x $ldap->socket
> 0 IO::Socket::SSL=GLOB(0x866b998)
> -> *Symbol::GEN0
> FileHandle({*Symbol::GEN0}) => fileno(3)
>
> ... same fd as before the socketToSSL, which is good.
Yes, looking at the code they just re-bless the given socket.
> The mechanism to select the ciphers and verify mode etc need some
> improvement too - perhaps the logic in Net::LDAPS to set this stuff should
> go into LDAP.pm
>
> I'm not sure calling context_init() is the right thing to do here either;
> it looks awfully 'global' in scope.
>
> We should also override startTLS in LDAPS to prevent someone from calling
> it on an LDAPS socket :-)
Right.
Graham.
|
