Closed Bug 132040 Opened 23 years ago Closed 23 years ago

LDAP command line tools need a "no man in the middle option"

Categories

(Directory :: LDAP Tools, defect, P2)

Product:
Directory
Component:
LDAP Tools
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcs, Assigned: mcs)

Details

Attachments

(1 file)

proposed fix
22.85 KB, patch
Details | Diff | Splinter Review
The LDAP command line tools should support an option that causes the SSL code to check that the hostname in the cert matches that of the SSL peer (to prevent a "man in the middle attack." I propose that we call this option -3 (pronounced "no third person").
Status: NEW → ASSIGNED
Attached patch proposed fixSplinter Review
I already coded up a fix. I added a new libssldap public function called ldapssl_set_strength() that can be used to set the default SSL strength or to set it on a per-ld basis. I also moved the ssl strength code from libraries/libssldap/clientinit.c to ldapsinit.c (that way we don't need the get_ssl_strength() function). I also made the CERTCertDBHandle a per-ld variable inside ldapsinit.c but there is no way to use anything other than the default cert db right now. Finally, I modified clients/tools/common.c to support the -3 option using the new ldapssl_set_strength() function. I also cleaned up some error printf's, etc. inside common.c.
Priority: -- → P2
Fixed on the trunk: mozilla/directory/c-sdk/ldap/include/ldap_ssl.h new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/clients/tools/Options.txt new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/clients/tools/common.c new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/clients/tools/ldaptool.h new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/libraries/libssldap/clientinit.c new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c new revision: 5.2; previous revision: 5.1 mozilla/directory/c-sdk/ldap/libraries/libldap_ssl.ex new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/libraries/macintosh/LDAPSSLClient.exp new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/ldapssl.def new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/nsldapssl32.def new revision: 5.1; previous revision: 5.0 mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/nssldap32.def new revision: 5.1; previous revision: 5.0 Fix bug # 132040 - LDAP tools need a "no man in the middle" option. New libssldap public function: ldapssl_set_strength(). New command line tool option: -3 ("no third"). Fix bug # 134035 - LDAP command line tools don't report vendor mismatch. Improved error checks and reporting for SSL errors in tools.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Spam for bug 129472
QA Contact: nobody → nobody
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: