On Wed, Sep 03, 2003 at 11:46:30AM -0400, Charles B Cranston wrote: > Sean McKay wrote: > > >I was not able to get the LDAPS server to respond to the query so out of > >despiration, I thought I'd try HTTPS -- if I remember right, I think > >Microsoft uses a non-standard for LDAPS that I can't remember right now. > > I am aware of one incompatability in the LDAP world. This causes OpenLDAP > to be incompatable with both the IBM Directory Server and I believe with > Microsoft as well. This is due to a modification to the way that LDAP > does encoding to thwart a possible attack method, unfortunately, neither > of these products interworks with the thwart. > > Interestingly enough, the Perl Net::LDAPS works fine with EITHER kind of > server. It is totally written in Perl so does not use any of these > libraries. > > You might try to see if you can set a bit in OpenLDAP that passes > through to OpenSSL that says "don't implement the thwart". I had a > conjecture that this might work (I was working in PHP at the time) > but never had a chance to test it out. > > But there is clearly an incompatability, and we had to do local code to > make the Apache SSL stuff work with a "special library" IBM donated > to us. > > I might be able to post a URL for a technical explanation if anybody > is interested in seeing it.
yes please. Is it an "empty fragment" counter-measure introduced by OpenSSL and not yet widely implemented elsewhere? regards, Vadim > > -- > Charles B (Ben) Cranston > mailto: [EMAIL PROTECTED] > http://www.wam.umd.edu/~zben > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
