Closed Bug 141754 Opened 22 years ago Closed 20 years ago

Enhancement: Should support startTls

Categories

(Directory :: LDAP C SDK, enhancement)

Product:
Directory
Component:
LDAP C SDK
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mhein, Assigned: mcs)

References

Details

Attachments

(4 files, 6 obsolete files)

revised patch: improved error handling
45.79 KB, patch
Details | Diff | Splinter Review
diffs against previous proposal
14.85 KB, patch
Details | Diff | Splinter Review
revised ldapsinit.c and prldap-public.c
12.16 KB, application/x-zip-compressed
Details
Patch over attachment 158207
964 bytes, patch
Details | Diff | Splinter Review 
The C SDK should support startTls
Attached patch First cut (obsolete) — Splinter Review 
This is a first cut at starttls.  It has not been tested and only compiled on
Solaris for now.  I had to make a change to build.mk as well......the line 
PERL = ?perl is causing problems for the generation of *def/*exp files.
Attached file Test case (obsolete) — 
Small test program
Thanks for submitting this. I have not tried the code yet, but I have a few of
initial comments:

- I do not think the application should pass the NSS cert db and key db paths to
ldapssl_tls_start_s(). Instead, we should require that the application call one
of the existing ldapssl_..._init() functions first.

- We need to check and see what start TLS APIs are provided in other LDAP API
implementations (to see if it makes sense to align with what they have done). I
will check Microsoft, IBM and OpenLDAP soon. For example, we should probably
have an ldapssl_tls_start() function and another one that parses the response
and switches the connection to secure mode.

- We need to think about how to factor this code so that it could be used by the
Mozilla 1.x client team. That might be difficult, because they do not use
libssldap at all.
Comment on attachment 82029 [details] [diff] [review]
First cut

I need to try this code and do a more detailed review, but here are a few
comments:

1) We will want to support an asynchronous API in addition to
ldapssl_starttls_s(). Someone should look at the OpenLDAP (or IBM) API for
start TLS to see if it makes sense to implement the same API.

2) I'd rather not expose the LDAP_X_OPT_SOCKBUF functionality to other LDAP
applications. There might be a different way for the prldap layer to get at the
socket info.

3) Rather than providing the two new prldap_get_default_socket_info() and
prldap_set_default_socket_info() functions, why not just add an option or two
to   oprldap_get_session_option() to allow callers to retrieve the fd and
socketarg for the default connection, e.g.,

#define PRLDAP_OPT_DEFAULT_FD	      2
#define PRLDAP_OPT_DEFAULT_SOCKETARG  3
?

Then the existing prldap_set_socket_info() and prldap_get_socket_info()
functions can be used after calling prldap_get_session_option() to retrieve the
above.

4) I think we should keep the basic SSL initialization separate from
ldapssl_tls_start_s() and just require that initialization be done before
ldapssl_tls_start_s() is called. Applications that want to handle SSL
initialization themselves should be able to use our startTLS APIs. Basically,
just remove the ldapssl_clientauth_init() call inside
ldapssl_enableSSL_on_open_connection().

5) We need to think about how much effort we should put into helping
applications that can't use the libssldap layer use startTLS (e.g., the Mozilla
1.x client).
Attachment #82029 - Flags: needs-work+
New preferences request to auto-detect server capabilities filed as bug 185631.
Spam for bug 129472
QA Contact: nobody → nobody
Mass reassign of 4 older LDAP C SDK bugs to mcs@pearlcrescent.com.
Assignee: mhein → mcs
Attached patch Proposed patch for Start TLS (obsolete) — Splinter Review 
This code was written by Alok Gondhalekar <alok@bozemanpass.com>, I'm uploading
it because I wanted to attach some commentary about the design
decisions. I will add that text to the bug report next...
Some comments on the patch I just uploaded:

1. It implements an -L option in the client tools. This tells ldapsearch etc 
to use Start TLS. Also implemented is a -LL option. This is similar to options 
supported in the OpenLDAP clients tools: -L says to try Start TLS but carry on
using plaintext if it fails. -LL says to fail hard if Start TLS fails.

2. The central problem with Start TLS is to convert an existing connection
to an SSL connection, mid-flight. There are two different cases to be handled:
a) Where the existing connection is using the prldap layer (NSPR I/O) and
b) Where the existing connection is not using prldap.
In both cases, the eventual goal is to have prldap enabled, and then SSL
(because NSS SSL relies on NSPR I/O).
For the already-prladp case, things are a bit easier: we only need to 
import the NSPR socket into SSL. For the non-prldap case, things are
more complex: we need to first import the connection into the prldap layer.
Subsequent to that step, the two cases are the same. To facilitate the 
connection import to prldap, two new functions were added to that layer:
prldap_check_nspr(), which tells the caller if the connection is already
using prldap/NSPR (the caller otherwise has no way to tell due to layering
issues). The second call is prldap_import_connection() which is patterned
after other 'import' functions: it takes the OS socket as its second argument,
and does whatever is necessary to enable prldap on the LD passed as the first 
argument.

3. SSL configuration is something of a problem. This is because it is
not possible to perform some of the SSL config until SSL-related structures are
created. These stuctures are not created until _after_ the decision to enable
SSL on the connection. However, once SSL has been enabled, it's logically
too late to perform the SSL config. This situation is also present in
'classic' SSL in the SDK. It seems that the API, and applications that use it
actually take advantage of the fact that no real SSL negotiation is done 
until the next PDU following SSL enable is sent. This might not be totally
clear to an application writer, but it's how the code has always worked, AFAIK.
Anyway, the result is that you _can_ call the ssl configuration functions
after enabling SSL, and the right thing happens. This is because those
functions change state in the SSL structures, and within NSS, and that 
state is not used until SSL negotation takes place. We have retained this
behavior with Start TLS: so an application can (and indeed must) call 
ldap_start_tls_s() first, then call ldaps_enable_clientauth() (or similar),
and _then_ perform an LDAP operation such as ldap_search(). SSL negotiation
on-the-wire only happens at the point the ldap_search() sends the search
request PDU. 

4. The API implemented (ldap_start_tls_s() ) is identical to the OpenLDAP
API, and very similar to Microsoft's and Novell's. 

5. Layering and modularity issues were a challenge in this implementation.
It seems hard to do Start TLS without introducing some accessors to 
break layering. We tried several different approches and this one has
the least added accessors. We added LDAP_X_OPT_EXTIO_SOCKET_FN_PTRS to allow
code outside of libldap (libsldap specifically) to retrieve the 
native connection socket from the BER layer.

This code has been tested against both the Netscape Directory Server
and the OpenLDAP server, on the following (client) platforms: Win32,
HP-UX 11.11 (both 32-bit and 64-bit), Solaris9 (both 32-bit and 64-bit),
Linux (Redhat AS3, Mandrake 9.2 and Mandrake 10.0).

  


Comment on attachment 155600 [details] [diff] [review]
Proposed patch for Start TLS

Overall, the patch looks very good.  Here are my comments on the changes in
mozilla/directory/c-sdk/ldap/clients/tools/common.c:

1) We can't use -L because that option is already used by ldapsearch to request
that LDIF be output (which is the default, but given that many people include
-L because OpenLDAP's ldapsearch requires it, I'd hate to change the meaning of
-L).  All single letter options are used by one of the tools or another; see
the "not used by any of the tools" line in Options.txt for details.  My best
suggestion is to use -ZZ and -ZZZ in place of -L and -LL.  I am open to a
better suggestion (bug 199130 is already open saying we need to support GNU
style long options, e.g., --tls).

2) Please add a space after the word request in the -LL usage line.

3) Should we call perror() when the prldap_init() call fails?  That is what is
done below the startTLS code you added; I am not 100% sure the system errno is
interesting in that case though.

4) I think the ldapssl_client_init() call you added is redundant (it or
ldapssl_pkcs_init() is called above).

5) Please exit with the value returned by ldap_start_tls_s() instead of
LDAP_LOCAL_ERROR.
Attachment #155600 - Flags: review-
Status: NEW → ASSIGNED
Comment on attachment 155600 [details] [diff] [review]
Proposed patch for Start TLS

Here are my comments on the core libldap changes
(.../ldap/include/ldap-extension.h, .../ldap/libraries/libldap/extendop.c, 
getoption.c, ldap-int.h, and setoption.c):

1) LDAP_OPT_START_TLS should be replaced by LDAP_X_OPT_START_TLS.  New LDAP API
extensions should begin with LDAP_X_OPT and should be assigned numbers based
off LDAP_OPT_PRIVATE_EXTENSION_BASE.  This is required by the LDAP C API
Internet Draft (currently suspended, but I hope to bring it back to life again
soon).

2) The older LDAP_X_OPT_EXTIO_FN_PTRS and the new
LDAP_X_OPT_EXTIO_SOCKET_FN_PTRS option you added are very similar (the
difference is that the new one retrieves the I/O functions for the default/main
LDAP TCP connection).  I would prefer to add an option that is very similar to
LDAP_OPT_DESC (perhaps LDAP_X_OPT_SOCKETARG) that is used to get and set the
socketarg.

3) The fix to extendop.c is also the subject of bug 242143.  Please take a look
at the patch proposed there (nearly the same).

4) Another thought on LDAP_OPT_START_TLS: it seems like it is not something
applications should manipulate themselves but rather something needed
internally by the libssldap layer.  Is that true?  If so, why not just add it
to LDAPSSLSessionInfo?
Comment on attachment 155600 [details] [diff] [review]
Proposed patch for Start TLS

Here are my comments on the libssldap related changes (files
.../include/ldap_ssl.h, .../libraries/libldap_ssl.ex,
.../libraries/libssldap/ldapsinit.c, .../libraries/msdos/winsock/ldapssl.def,
.../libraries/msdos/winsock/nsldapssl32.def, and
.../libraries/msdos/winsock/nssldap32.def); most of the comments are related to
ldapsinit.c:

1) Let's use the same name for the startTLS OID macro as OpenLDAP does.  They
have:

#define LDAP_EXOP_START_TLS   "1.3.6.1.4.1.1466.20037"	/* RFC 2830 */


2) It would be nice to factor some of the common code in ldaptls_complete() and
ldapssl_connect() and place it in a common function that both call.  At a
glance, it doesn't look too difficult to me but maybe you already tried and
decided it wasn't worth the trouble?

3) If ldaptls_complete() fails it closes the connection.  Is that what we
really want to happen?	Doesn't that make it so the -L option won't always fail
softly?

4) Inside ldaptls_setup(), I would return LDAP_LOCAL_ERROR in the cases you
return LDAP_OTHER.

5) Let's create a small internal helper function called
ldapssl_alloc_sessioninfo() and call it from ldapssl_install_routines() and
ldaptls_setup().  That way if we ever improve that code it will be in one
place.

6) Inside ldap_start_tls_s() there are a lot of places where the return value
from ldap_set_option() is checked against LDAP_SUCCESS.  Technically,
ldap_set_option() returns 0 or -1, not an LDAP result code.  So it would be
clearer to check for == 0 or < 0.  Same for ldap_get_option().

7) In this code snippet from ldap_start_tls_s():

+   if ( ( rc = ldap_extended_operation_s( ld, START_TLS_OID, NULL,
serverctrls,
+	clientctrls, &oidptr, &dataptr ) ) != LDAP_SUCCESS )
+   {
+	ber_bvfree( dataptr );
+	ldap_memfree( oidptr );
+	ldap_set_lderrno( ld, LDAP_UNWILLING_TO_PERFORM, NULL, NULL );
+	return( LDAP_UNWILLING_TO_PERFORM );
+   }


Shouldn't LDAP_UNWILLING_TO_PERFORM be replaced with rc?  If possible, I would
change ldaptls_setup(), ldaptls_complete() to return an LDAP result code and
return that instead of unwilling to perform in this section also:

+   /* Initialize TLS and enable SSL on the LDAP session */
+   if ( ( rc = ldaptls_setup( ld ) ) != LDAP_SUCCESS	||
+	 ( rc = ldaptls_complete( ld ) ) != LDAP_SUCCESS   ||
+	 ( rc = ldap_set_option( ld, LDAP_OPT_SSL, LDAP_OPT_ON ) )!=
LDAP_SUCCESS )
+   {
+
+	/* Allow to proceed in clear text if secure session fails */
+	ldap_set_option( ld, LDAP_OPT_SSL, LDAP_OPT_OFF );
+	ldap_set_option( ld, LDAP_OPT_START_TLS, LDAP_OPT_OFF );
+	ldap_set_lderrno( ld, LDAP_UNWILLING_TO_PERFORM, NULL, NULL );
+	return( LDAP_UNWILLING_TO_PERFORM );
+   }
Comment on attachment 155600 [details] [diff] [review]
Proposed patch for Start TLS

This is the final batch... my comments on the proposed libprldap changes (files
.../include/ldappr.h, .../libraries/libprldap/ldappr-int.h,
.../libraries/libprldap/ldappr-io.c, .../libraries/libprldap/ldappr-public.c,
.../libraries/libprldap/libprldap.ex,
.../libraries/msdos/winsock/nsldappr-incl.def,
.../libraries/msdos/winsock/nsldappr32.def):

1) Can we rename the prldap_check_nspr() function to prldap_is_installed()?

2) Insider prldap_check_nspr(), please check the result of ldap_get_option()
against 0 instead of LDAP_SUCCESS.  Otherwise someone will think
ldap_get_option() could return values like LDAP_NO_MEMORY.

3) prldap_import_connection() assumes the file desc it is importing is the one
associated with the default/main LDAP TCP connection.  I think it would be
better to acknowledge that fact very clearly by removing the orig_socket
parameter (retrieve it via a call like ldap_get_option( ld, LDAP_OPT_DESC, ...)

4) My original thought use of the prldap layer would be a prerequisite to using
startTLS in the LDAP C SDK.  But now that you have written the code to import
into prldap, we might as well keep it.	The only thing that worries me is that
PR_ImportTCPSocket() does not appear in a public NSPR header file.  Any idea
why it is not a public NSPR function?
I just noticed 2 new warnings when I built the revised code:

setoption.c:234: warning: passing arg 3 of `ber_sockbuf_set_option' discards
qualifiers from pointer target type

common.c:1003: warning: suggest parentheses around assignment used as truth value

I guess a cast should be added to fix the first one.  In common.c it looks like
a left paren. is misplaced:

+       /* Initialize TLS over the clear-text LDAP session */
+       if (rc = (ldapssl_client_init(ssl_certdbpath, NULL))< 0) {
...



Added dependency on bug 242143 (ldap_extended_operation(3) sends requestValue
when not requested).
Depends on: 242143
Comment on mcs's comment:

>4) Another thought on LDAP_OPT_START_TLS: it seems like it is not something
>applications should manipulate themselves but rather something needed
>internally by the libssldap layer.  Is that true?  If so, why not just add it
>to LDAPSSLSessionInfo?

I think the idea was that applications might want to know after the fact if
the connection is used start tls. If this seems unlikely then I agree that
it isn't necessary to expose this state to the application.



More comments on comments:

>2) It would be nice to factor some of the common code in ldaptls_complete() 
and
>ldapssl_connect() and place it in a common function that both call.  At a
>glance, it doesn't look too difficult to me but maybe you already tried and
>decided it wasn't worth the trouble?

I agree. We decided not to do this at this point on the basis that it
would further confuse the diffs. But in principle we think this is a very good 
idea.



Answer to mcs comment:

>4) My original thought use of the prldap layer would be a prerequisite to 
using
>startTLS in the LDAP C SDK.  But now that you have written the code to import
>into prldap, we might as well keep it.	The only thing that worries me is that
>PR_ImportTCPSocket() does not appear in a public NSPR header file.  Any idea
>why it is not a public NSPR function?

I'm not sure, but it was wan-teh that suggested its use, so I believe it is
kosher. I will ask him what the status of this function is (I believe he
might be on vacation right now).



Excepting the specific cases above where I've made a comment,
I agree with all mcs's review comments.
My responses to David's responses:

On the LDAP_OPT_START_TLS question, I do not think it is worth exposing this to
applications.  I'd rather minimize the additional interfaces and options in
libldap; there are already many.  So I'd like to see it change to a libssldap
internal bit.

On refactoring the code in ldaptls_complete() and ldapssl_connect() so less code
is duplicated, I think we can defer doing that for now.  Maybe I will make a
pass at that after we land the startTLS feature.

On PR_ImportTCPSocket(), please check with Wan-Teh.  But for now it sounds like
it is OK to use.

Let me know if you want help with some of the other changes.  I do not currently
have a DS set up where I can test startTLS, but I could do that with only a
moderate amount of pain ;-)
Wan-Teh says that PR_ImportTCPSocket is ok to use if there is no alternative
(which there isn't in this case).
New proposed patch for Start TLS; includes changes as per Comments #10 through
#15 and #17 by Mark Smith.

I would like to add some notes about the new patch and client tools -

1. Case of Hard failure : Missing CA cert in certificate db. 

2. Case of soft failure : Server is unwilling to perform Start TLS.( disabled
SSL/TLS on server or  no extended operation support by server).

The clause from section 2.3 from RFC 2830 holds true in this case; if the Start
TLS operation fails then, "The client MAY proceed with any LDAP operation, or
it MAY close the connection."
Thanks for the revised patch.  Can you recreate it as a unified diff?  I always
use a command like this to create diffs for posting in bug reports:

cvs -nq diff -u8 -N

(-u8 for unified diffs with 8 lines of context and -N to include the contents of
new files).


Let me know if you need the unified diffs with some blank line cleanup.


Thanks.
A note about testing: this patch has been incorporated into private builds
of the SDK that are in turn used in the Netscape Server and the client tools.
The resulting builds have been subjected to the server regression tests and 
passed. In addition new start TLS tests have been run that exercise the 
code quite well on : Win32, Linux, 64-bit Solaris, 32-bit Solaris, 64-bit HP-
UX and 32-bit HP-UX.


Comment on attachment 156631 [details] [diff] [review]
unified diffs of patch (id=156540)

The new patch looks good.  Just a few small comments:


>Index: mozilla/directory/c-sdk/ldap/clients/tools/common.c
> ...
>+    
>+    /* If '-Z' is specified, ignore -ZZ or -ZZZ */
>+    if ( isZ && isZZ ) {
>+	fprintf( stderr, "%s: with -Z option, do not specify -ZZ or -ZZZ option\n\n", ldaptool_progname ); 
>+	return (-1);
>+     }

I do not think the above code is needed now that -ZZ effectively "turns off"
-Z.  Right?


>Index: mozilla/directory/c-sdk/ldap/libraries/libldap/getoption.c
> ...
>+	  
>+	/* extended socket i/o function pointers (to get socketargp)*/
>+	case LDAP_X_OPT_SOCKETARG:
>+		if ( ber_sockbuf_get_option( ld->ld_sbp,
>+		    LBER_SOCKBUF_OPT_EXT_IO_FNS, optdata ) != 0 ) {
>+			LDAP_SET_LDERRNO( ld, LDAP_LOCAL_ERROR, NULL, NULL );
>+			rc = -1;
>+		}
>+		break;

LDAP_X_OPT_SOCKETARG should not return all of the I/O function pointers; it
should just return the socketarg.  It looks like you renamed the option but did
not revise the implementation.


>Index: mozilla/directory/c-sdk/ldap/libraries/libldap/setoption.c
> ...
>+	 /* extended socket i/o function pointers (set Socket Arg)*/
>+	case LDAP_X_OPT_SOCKETARG:
>+		if ( ber_sockbuf_set_option( ld->ld_sbp,
>+		    LBER_SOCKBUF_OPT_EXT_IO_FNS, (void *)optdata ) != 0 ) {
>+			LDAP_SET_LDERRNO( ld, LDAP_LOCAL_ERROR, NULL, NULL );
>+			rc = -1;
>+		}
>+	  break;
>+	  

Same comment here.


>Index: mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c
> ...
>+    /*
>+     * Retrieve session info. so we can store a pointer to our session info.
>+     * in our socket info. later.
>+     */
>+    memset( &sei, 0, sizeof(sei));
>+    sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
>+    if ( prldap_get_session_info( ld, NULL, &sei ) < 0 ) {
>+	return( -1 );
>+    }

Unlike ldap_get_option(), prldap_get_session_info() DOES return an LDAP result
code so it would be better to check for != LDAP_SUCCESS above. If we could
change ldap_get_option() we would but it is much too late for that ;-)

>+    /*
>+     * Let the standard NSPR to LDAP layer know about the new socket and
>+     * our own socket-specific data.
>+     */
>+    soi.soinfo_prfd = sslfd;
>+    soi.soinfo_appdata = (void *)ssoip;
>+
>+    if ( prldap_set_socket_info( intfd, socketargp, &soi ) < 
>+			0 ) {
>+		goto close_socket_and_exit_with_error;
>+    }

Same comment as above applies to prldap_set_socket_info() too.


>+    /* Check if NSPR Layer is Installed */
>+    if ( !prldap_is_installed(ld) )
>+    {  /* No NSPR Layer installed, 
>+        * Call prldap_import_connection() that installs the NSPR I/O layer
>+	* and imports connection details from Clear-text connection
>+	*/
>+    	if ( prldap_import_connection(ld, fd) <  0 )
>+    	{
>+		ldap_set_lderrno( ld, LDAP_OTHER, NULL, NULL );
>+		return( -1 );
>+    	}

prldap_import_connection() also returns an LDAP result code... at least it
should.  Please fix the calls to prldap_import_connection() as well as the
implementation of prldap_import_connection().

Also, these comments I made on attachment 155600 [details] [diff] [review] were not addressed.  I still
believe in them; please let me know if you disagree with them:

a) In tools/common.c, I think the ldapssl_client_init() call you added is
redundant (it or
ldapssl_pkcs_init() is called above).

b) prldap_import_connection() assumes the file desc it is importing is the one
associated with the default/main LDAP TCP connection.  I think it would be
better to acknowledge that fact very clearly by removing the orig_socket
parameter (retrieve it via a call like ldap_get_option( ld, LDAP_OPT_DESC, ...)

c) Let's create a small internal helper function called
ldapssl_alloc_sessioninfo() and call it from ldapssl_install_routines() and
ldaptls_setup().  That way if we ever improve that code it will be in one
place.
Attachment #155600 - Attachment is obsolete: true
In reviewing attachment 158112 [details] [diff] [review] I noticed a few remaining error handling issues.
 I fixed them, and this is the revised patch.  I will also attach the changes
compared to the previous proposal (attachment 158112 [details] [diff] [review]) and the revised files
where I made the biggest changes.
Attachment #82029 - Attachment is obsolete: true
Attachment #82030 - Attachment is obsolete: true
Attachment #156540 - Attachment is obsolete: true
Attachment #156631 - Attachment is obsolete: true
Attachment #158112 - Attachment is obsolete: true
Thanks! We will re-test the revised code and report back.
These last changes test out ok for us.
Much thanks to Sun, Netscape/AOL, especially Alok and David for their
contributed fixes.

This fix has now been committed to the trunk.  It is good to close this aging bug!

mozilla/directory/c-sdk/ldap/clients/tools/common.c
  new revision: 5.14; previous revision: 5.13
mozilla/directory/c-sdk/ldap/include/lber.h
  new revision: 5.3; previous revision: 5.2
mozilla/directory/c-sdk/ldap/include/ldap-extension.h
  new revision: 5.4; previous revision: 5.3
mozilla/directory/c-sdk/ldap/include/ldap_ssl.h
  new revision: 5.5; previous revision: 5.4
mozilla/directory/c-sdk/ldap/include/ldappr.h
  new revision: 5.5; previous revision: 5.4
mozilla/directory/c-sdk/ldap/libraries/libldap_ssl.ex
  new revision: 5.5; previous revision: 5.4
mozilla/directory/c-sdk/ldap/libraries/liblber/io.c
  new revision: 5.8; previous revision: 5.7
mozilla/directory/c-sdk/ldap/libraries/libldap/getoption.c
  new revision: 5.4; previous revision: 5.3
mozilla/directory/c-sdk/ldap/libraries/libldap/setoption.c
  new revision: 5.5; previous revision: 5.4
mozilla/directory/c-sdk/ldap/libraries/libprldap/ldappr-int.h
  new revision: 5.3; previous revision: 5.2
mozilla/directory/c-sdk/ldap/libraries/libprldap/ldappr-io.c
  new revision: 5.4; previous revision: 5.3
mozilla/directory/c-sdk/ldap/libraries/libprldap/ldappr-public.c
  new revision: 5.3; previous revision: 5.2
mozilla/directory/c-sdk/ldap/libraries/libprldap/libprldap.ex
  new revision: 5.3; previous revision: 5.2
mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c
  new revision: 5.10; previous revision: 5.9
mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/ldapssl.def
  new revision: 5.5; previous revision: 5.4
mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/nsldappr-incl.def
  new revision: 5.3; previous revision: 5.2
mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/nsldappr32.def
  new revision: 5.3; previous revision: 5.2
mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/nsldapssl32.def
  new revision: 5.5; previous revision: 5.4
mozilla/directory/c-sdk/ldap/libraries/msdos/winsock/nssldap32.def
  new revision: 5.5; previous revision: 5.4
    Fix bug # 141754 - Enhancement: Should support startTLS.
     LDAP command line tools now accept 2 new options:
        -ZZ  (issue a startTLS request)
        -ZZZ (like -ZZ but require a successful response).
     API extensions:
      ldap_ssl.h: LDAP_EXOP_START_TLS macro (OID of start TLS extended op.).
      libssldap:  Added ldap_start_tls_s() function.
      libprldap:  Added prldap_is_installed() and prldap_import_connection().
      libldap:    Added new LDAP_X_OPT_SOCKETARG option for ldap_get_option()
                    and ldap_set_option() (get/set the socketarg associated
                    with the main LDAP TCP connection).
      liblber:    Added new LBER_SOCKBUF_OPT_SOCK_ARG option for
                     ber_sockbuf_set_option() and ber_sockbuf_get_option()
                     (get/set the socketarg associated with a Sockbuf).
    Also, some refactoring was done in libssldap to simplify the code.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
An additional semi-colon is causing build failures on some non-gcc compilers.
The diff is attached to show the location of the extra character.
Oops.  Fix committed:

mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c
  new revision: 5.11; previous revision: 5.10
    Additional fix for 141754 - Enhancement: Should support startTls:
      Remove extra semicolon which causes an error on some non-gcc compilers.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: