Re: [Tcllib-devel] Support for LDAPS

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Tue, May 15, 2018 at 11:47:58AM +0200, Harald Oehlmann wrote:
>Am 15.05.2018 um 11:24 schrieb Pierre DAVID:
>> Hi everybody,
>>
>> could someone have a look on ticket
>> 60160205fe965d617482fd65dee13031fc16a1b7
>>    https://core.tcl.tk/tcllib/tktview?name=60160205fe
>>
>> I'm asking for comments before submitting a patch.
>>
>> Thanks,
>>
>> Pierre
>
>Pierre,
>
>thank you for the message. I think, this is o.k.
>
>Within the update of the autoproxy package, tls support was also
>touched. You may take this package for reference (tcllib folder http).
>
>- the handshake issue also arised there
>- twapi is supported as a 2nd possibility for a tls package
>
>Do you have write access to core.tcl.tk/tcllib ?
>If yes, best would be to prepare a branch.
>In the case of the upper package, Andreas cared about it and gave
>helpful hints.
>

The deeper I dig the problem, the more I'm lost.

LDAP, as well as many other modules, makes use of the TCL-TLS 
package.  Moreover, applications *must* take care of this package 
since their documentation explicitely mandate (see "TLS security 
considerations" in each manpage) the use of tls::init to configure 
TLS options such as root CA directory/file (while some other TLS 
options are simply given as ::ldap::* parameters, see ticket).

This is incompatible with the use of an alternate TLS package such 
the one you cite (twapi on Windows). Thus, for applications, there 
is yet another option, in order to configure the TLS package to 
use (see ::autoproxy::configure -tls_package), which is rather 
boring.

In my opinion, applications should not have to bother with TLS 
package at all: they should not have to configure WHICH package to 
use, neither use any low-level TLS configuration option such as 
::tls::init.  They should just specify which protocol or root CA 
location to use, and Tcllib modules should find the appropriate 
package.

In my opinion, the path Tcllib has taken so far to handle TLS is 
not the right one.

I started to implement a ::ldap::tls_options which just specify 
appropriate options, which are used by ::ldap::secure_connect as 
well as ::ldap::starttls. Same for ::ldapx::tls which is only a 
wrapper for the above ::ldap::tls_options. Doing so, LDAP (via a 
low-level internal Tcllib module) is free to use either TCL-TLS or 
TWAPI without asking the application to bother with guessing which 
TLS package is appropriate for the platform.

Any opinion on this?

Pierre