Isaac Boukris wrote: > Hi all, > > Following our discussion over cyrus-sasl PR 601 [1], I worked out a > new wip patch: > https://git.openldap.org/iboukris/openldap/-/commits/cbind_v3 > > It changes the sasl channel-binding to be passed optionally (none by > default), controlled via ldap.conf / slapd.conf, and adds > "tls-server-end-point" binding type which is compatible with Windows. > > In addition, I noticed the current "tls-unique" implementation in > openldap doesn't pass the prefix of the channel-binding as defined in > RFC 5056, quote: > > Specifications of channel bindings for any secure channels MUST > provide for a single, canonical octet string encoding of the > channel bindings. Under this framework, channel bindings MUST > start with the channel binding unique prefix followed by a colon > (ASCII 0x3A). > > So I fixed that too, by adding "tls-unique:" prefix as per RFC 5929 > registration. Note that this won't be compatible with older versions > of openldap (say for GS2 users, if any), so it is another reason to > not send any bindings by default, to avoid mismatches. > > I've only tested the openssl client backend code so far (on top of > cyrus-sasl PR 601), the rest is pretty much pseudo code for now. I > plan to work out the other backends, and add some unit-tests showing > the expected binding are being passed by both client and server (tips > and help welcome).
Thanks for this. Would be nice to get other testers' eyes on it. Don't spend any time on the MozNSS backend, we are removing it. > > Thoughts? > > Refs [1]: > https://github.com/cyrusimap/cyrus-sasl/pull/601 > https://bugs.openldap.org/show_bug.cgi?id=9189 > > Thanks! > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
