mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-03-07 14:18:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#9207 - Remove MozNSS code and documentation

Browse Source
This commit is contained in:
Quanah Gibson-Mount 2020-04-17 17:19:25 +00:00
parent 3dd0d77d1a
commit a019e7fe1a
15 changed files with 32 additions and 3662 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
configure.in
View File

@ -241,8 +241,8 @@ OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support],
auto, [auto yes no] )
OL_ARG_WITH(threads,[ --with-threads with threads],
auto, [auto nt posix mach pth lwp yes no manual] )
OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls|moznss],
auto, [auto openssl gnutls moznss yes no] )
OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls],
auto, [auto openssl gnutls yes no] )
OL_ARG_WITH(yielding_select,
[ --with-yielding-select with implicitly yielding select],
auto, [auto yes no manual] )
@ -1252,32 +1252,6 @@ if test $ol_link_tls = no ; then
fi
fi
dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
dnl are not in the default system location
if test $ol_link_tls = no ; then
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
have_moznss=no
AC_CHECK_HEADERS([nssutil.h])
if test "$ac_cv_header_nssutil_h" = yes ; then
AC_CHECK_LIB([nss3], [NSS_Initialize],
[ have_moznss=yes ], [ have_moznss=no ])
fi
if test "$have_moznss" = yes ; then
ol_with_tls=moznss
ol_link_tls=yes
AC_DEFINE(HAVE_MOZNSS, 1,
[define if you have MozNSS])
TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
else
if test $ol_with_tls = moznss ; then
AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
fi
fi
fi
fi
WITH_TLS=no
if test $ol_link_tls = yes ; then
AC_DEFINE(HAVE_TLS, 1, [define if you have TLS])

1
doc/guide/admin/appendix-recommended-versions.sdf
View File

@ -17,7 +17,6 @@ Feature|Software|Version
{{TERM[expand]TLS}}:
|{{PRD:OpenSSL}}|0.9.7+
|{{PRD:GnuTLS}}|2.12.0
|{{PRD:MozNSS}}|3.12.9
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
{{TERM[expand]Kerberos}}:
|{{PRD:Heimdal}}|Version

3
doc/guide/admin/aspell.en.pws
View File

@ -1351,9 +1351,6 @@ MChAODQ
lookups
GnuTLS
gnutls
MozNSS
MOZNSS
moznss
LTONLY
SNMP
timelimit

9
doc/guide/admin/install.sdf
View File

@ -63,16 +63,15 @@ installation instructions provided with it.
H3: {{TERM[expand]TLS}}
OpenLDAP clients and servers require installation of {{PRD:OpenSSL}},
{{PRD:GnuTLS}}, or {{PRD:MozNSS}}
OpenLDAP clients and servers require installation of {{PRD:OpenSSL}}
or {{PRD:GnuTLS}}
{{TERM:TLS}} libraries to provide {{TERM[expand]TLS}} services. Though
some operating systems may provide these libraries as part of the
base system or as an optional software component, OpenSSL, GnuTLS, and
Mozilla NSS often require separate installation.
base system or as an optional software component, OpenSSL and GnuTLS
often require separate installation.
OpenSSL is available from {{URL: http://www.openssl.org/}}.
GnuTLS is available from {{URL: http://www.gnu.org/software/gnutls/}}.
Mozilla NSS is available from {{URL: http://developer.mozilla.org/en/NSS}}.
OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's
{{EX:configure}} detects a usable TLS library.

4
doc/guide/admin/intro.sdf
View File

@ -383,8 +383,8 @@ SASL}} software which supports a number of mechanisms including
{{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based
authentication and data security (integrity and confidentiality)
services through the use of TLS (or SSL). {{slapd}}'s TLS
implementation can utilize {{PRD:OpenSSL}}, {{PRD:GnuTLS}},
or {{PRD:MozNSS}} software.
implementation can utilize {{PRD:OpenSSL}} or {{PRD:GnuTLS}},
software.
{{B:Topology control}}: {{slapd}} can be configured to restrict
access at the socket layer based upon network topology information.

70
doc/guide/admin/tls.sdf
View File

@ -19,7 +19,7 @@ identities. All servers are required to have valid certificates,
whereas client certificates are optional. Clients must have a
valid certificate in order to authenticate via SASL EXTERNAL.
For more information on creating and managing certificates,
see the {{PRD:OpenSSL}}, {{PRD:GnuTLS}}, or {{PRD:MozNSS}} documentation,
see the {{PRD:OpenSSL}} or {{PRD:GnuTLS}} documentation,
depending on which TLS implementation libraries you are using.
H3: Server Certificates
@ -90,37 +90,12 @@ this option can only be used with a filesystem that actually supports
symbolic links. In general, it is simpler to use the
{{EX:TLSCACertificateFile}} directive instead.
When using Mozilla NSS, this directive can be used to specify the
path of the directory containing the NSS certificate and key database
files. The {{certutil}} command can be used to add a {{TERM:CA}} certificate:
> certutil -d <path> -A -n "name of CA cert" -t CT,, -a -i /path/to/cacertfile.pem
. This command will add a CA certificate stored in the PEM (ASCII) formatted
. file named /path/to/cacertfile.pem. {{EX:-t CT,,}} means that the certificate is
. trusted to be a CA issuing certs for use in TLS clients and servers.
H4: TLSCertificateFile <filename>
This directive specifies the file that contains the slapd server
certificate. Certificates are generally public information and
require no special protection.
When using Mozilla NSS, if using a cert/key database (specified with
{{EX:TLSCACertificatePath}}), this directive specifies
the name of the certificate to use:
> TLSCertificateFile Server-Cert
. If using a token other than the internal built in token, specify the
. token name first, followed by a colon:
> TLSCertificateFile my hardware device:Server-Cert
. Use {{EX:certutil -L}} to list the certificates by name:
> certutil -d /path/to/certdbdir -L
H4: TLSCertificateKeyFile <filename>
This directive specifies the file that contains the private key
@ -130,18 +105,6 @@ password encrypted for protection. However, the current implementation
doesn't support encrypted keys so the key must not be encrypted
and the file itself must be protected carefully.
When using Mozilla NSS, this directive specifies the name of
a file that contains the password for the key for the certificate specified with
{{EX:TLSCertificateFile}}. The modutil command can be used to turn off password
protection for the cert/key database. For example, if {{EX:TLSCACertificatePath}}
specifies /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
> modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
. You must have the old password, if any. Ignore the WARNING about the running
. browser. Press 'Enter' for the new password.
H4: TLSCipherSuite <cipher-suite-spec>
This directive configures what ciphers will be accepted and the
@ -161,13 +124,6 @@ To obtain the list of ciphers in GnuTLS use:
> gnutls-cli -l
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
> static const SSLCipherSuiteInfo suiteInfo[]
H4: TLSRandFile <filename>
This directive specifies the file to obtain random bits from when
@ -186,7 +142,7 @@ copy a few hundred bytes of arbitrary data into the file. The file
is only used to provide a seed for the pseudo-random number generator,
and it doesn't need very much data to work.
This directive is ignored with GnuTLS and Mozilla NSS.
This directive is ignored with GnuTLS.
H4: TLSDHParamFile <filename>
@ -201,8 +157,6 @@ generated using the following command
or
> certtool --generate-dh-params --bits <numbits> --outfile <filename>
This directive is ignored with Mozilla NSS.
H4: TLSECName <name>
This directive specifies the curve to use for Elliptic Curve
@ -212,7 +166,7 @@ curves may be shown using the following command
> openssl ecparam -list_curves
This directive is not used for GnuTLS and is ignored with Mozilla NSS.
This directive is not used for GnuTLS.
For GnuTLS the curves may be specified in the ciphersuite.
H4: TLSVerifyClient { never | allow | try | demand }
@ -273,7 +227,7 @@ H4: TLS_CACERTDIR <path>
This is equivalent to the server's {{EX:TLSCACertificatePath}} option. The
specified directory must be managed with the OpenSSL {{c_rehash}}
utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
utility as well.
H4: TLS_CERT <filename>
@ -281,22 +235,6 @@ This directive specifies the file that contains the client certificate.
This is a user-only directive and can only be specified in a user's
{{.ldaprc}} file.
When using Mozilla NSS, if using a cert/key database (specified with
{{EX:TLS_CACERTDIR}}), this directive specifies
the name of the certificate to use:
> TLS_CERT Certificate for Sam Carter
. If using a token other than the internal built in token, specify the
. token name first, followed by a colon:
> TLS_CERT my hardware device:Certificate for Sam Carter
. Use {{EX:certutil -L}} to list the certificates by name:
> certutil -d /path/to/certdbdir -L
H4: TLS_KEY <filename>
This directive specifies the file that contains the private key

1
doc/guide/preamble.sdf
View File

@ -135,7 +135,6 @@ GnuTLS|http://www.gnu.org/software/gnutls/
Heimdal|http://www.pdc.kth.se/heimdal/
JLDAP|http://www.openldap.org/jldap/
MIT Kerberos|http://web.mit.edu/kerberos/www/
MozNSS|http://developer.mozilla.org/en/NSS
OpenLDAP|http://www.openldap.org/
OpenLDAP FAQ|http://www.openldap.org/faq/
OpenLDAP ITS|http://www.openldap.org/its/

5
doc/man/man3/ldap_get_option.3
View File

@ -722,7 +722,6 @@ must be
.BR "char **" ,
and its contents need to be freed by the caller using
.BR ldap_memfree (3).
Ignored by Mozilla NSS.
.TP
.B LDAP_OPT_X_TLS_ECNAME
Gets/sets the name of the curve used for
@ -735,7 +734,7 @@ must be
.BR "char **" ,
and its contents need to be freed by the caller using
.BR ldap_memfree (3).
Ignored by GnuTLS and Mozilla NSS. In GnuTLS a curve may be selected
Ignored by GnuTLS. In GnuTLS a curve may be selected
in the cipher suite specification.
.TP
.B LDAP_OPT_X_TLS_KEYFILE
@ -789,7 +788,7 @@ must be
.BR "char **" ,
and its contents need to be freed by the caller using
.BR ldap_memfree (3).
Ignored by GnuTLS older than version 2.2. Ignored by Mozilla NSS.
Ignored by GnuTLS older than version 2.2.
.TP
.B LDAP_OPT_X_TLS_REQUIRE_CERT
Sets/gets the peer certificate checking strategy,

49
doc/man/man5/ldap.conf.5
View File

@ -320,30 +320,10 @@ certificates in separate individual files. The
is always used before
.B TLS_CACERTDIR.
This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
database. If <path> contains a Mozilla NSS cert/key database and
CA cert files, OpenLDAP will use the cert/key database and will
ignore the CA cert files.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
.B This is a user-only option.
When using Mozilla NSS, if using a cert/key database (specified with
TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
.nf
TLS_CERT Certificate for Sam Carter
.fi
If using a token other than the internal built in token, specify the
token name first, followed by a colon:
.nf
TLS_CERT my hardware device:Certificate for Sam Carter
.fi
Use certutil \-L to list the certificates by name:
.nf
certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
@ -352,24 +332,11 @@ stored in the
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
.B This is a user-only option.
When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
the password for the key for the certificate specified with TLS_CERT. The
modutil command can be used to turn off password protection for the cert/key
database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as
the location of the cert/key database, use modutil to change the password
to the empty string:
.nf
modutil \-dbdir ~/.moznss \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
<cipher-suite-spec> should be a cipher specification for
the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
the TLS library in use (OpenSSL or GnuTLS).
Example:
.RS
.RS
@ -399,14 +366,6 @@ In older versions of GnuTLS, where gnutls\-cli does not support the option
.nf
gnutls\-cli \-l
.fi
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
.nf
static const SSLCipherSuiteInfo suiteInfo[]
.fi
.RE
.TP
.B TLS_PROTOCOL_MIN <major>[.<minor>]
@ -430,7 +389,7 @@ This parameter is ignored with GnuTLS.
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
This parameter is ignored with GnuTLS and Mozilla NSS.
This parameter is ignored with GnuTLS.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
@ -463,7 +422,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
parameter to be set. This parameter is ignored with GnuTLS.
.B <level>
can be specified as one of the following keywords:
.RS
@ -481,7 +440,7 @@ Check the CRL for a whole certificate chain
.B TLS_CRLFILE <filename>
Specifies the file containing a Certificate Revocation List to be used
to verify if the server certificates have not been revoked. This
parameter is only supported with GnuTLS and Mozilla NSS.
parameter is only supported with GnuTLS.
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT

55
doc/man/man5/slapd-config.5
View File

@ -831,7 +831,7 @@ you can specify.
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
<cipher-suite-spec> should be a cipher specification for
the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
the TLS library in use (OpenSSL or GnuTLS).
Example:
.RS
.RS
@ -861,14 +861,6 @@ In older versions of GnuTLS, where gnutls\-cli does not support the option
.nf
gnutls\-cli \-l
.fi
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
.nf
static const SSLCipherSuiteInfo suiteInfo[]
.fi
.RE
.TP
.B olcTLSCACertificateFile: <filename>
@ -883,32 +875,11 @@ certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both
locations will be used. This directive is not supported
when using GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
database. If <path> contains a Mozilla NSS cert/key database and
CA cert files, OpenLDAP will use the cert/key database and will
ignore the CA cert files.
.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
.B slapd
server certificate.
When using Mozilla NSS, if using a cert/key database (specified with
olcTLSCACertificatePath), olcTLSCertificateFile specifies
the name of the certificate to use:
.nf
olcTLSCertificateFile: Server-Cert
.fi
If using a token other than the internal built in token, specify the
token name first, followed by a colon:
.nf
olcTLSCertificateFile: my hardware device:Server-Cert
.fi
Use certutil \-L to list the certificates by name:
.nf
certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B olcTLSCertificateKeyFile: <filename>
Specifies the file that contains the
@ -920,19 +891,6 @@ be manually typed in when slapd starts. Usually the private key is not
protected with a password, to allow slapd to start without manual
intervention, so
it is of critical importance that the file is protected carefully.
When using Mozilla NSS, olcTLSCertificateKeyFile specifies the name of
a file that contains the password for the key for the certificate specified with
olcTLSCertificateFile. The modutil command can be used to turn off password
protection for the cert/key database. For example, if olcTLSCACertificatePath
specifies /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
.TP
.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
@ -945,15 +903,12 @@ actual client or server authentication and provide no protection against
man-in-the-middle attacks.
You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSECName: <name>
Specify the name of a curve to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This is required to enable ECDHE algorithms in
OpenSSL. This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. This option is also
ignored for Mozilla NSS.
chosen in the GnuTLS ciphersuite specification.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
@ -976,7 +931,7 @@ This directive is ignored with GnuTLS.
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
This directive is ignored with GnuTLS and Mozilla NSS.
This directive is ignored with GnuTLS.
.TP
.B olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
@ -1018,7 +973,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the client certificates have not been revoked. This
requires
.B olcTLSCACertificatePath
parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
parameter to be set. This parameter is ignored with GnuTLS.
.B <level>
can be specified as one of the following keywords:
.RS
@ -1036,7 +991,7 @@ Check the CRL for a whole certificate chain
.B olcTLSCRLFile: <filename>
Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This parameter
is only valid when using GnuTLS or Mozilla NSS.
is only valid when using GnuTLS.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd

54
doc/man/man5/slapd.conf.5
View File

@ -1062,7 +1062,7 @@ you can specify.
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
<cipher-suite-spec> should be a cipher specification for the TLS library
in use (OpenSSL, GnuTLS, or Mozilla NSS).
in use (OpenSSL or GnuTLS).
Example:
.RS
.RS
@ -1092,14 +1092,6 @@ In older versions of GnuTLS, where gnutls\-cli does not support the option
.nf
gnutls\-cli \-l
.fi
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
translated into the format used internally by Mozilla NSS. There isn't an easy
way to list the cipher suites from the command line. The authoritative list
is in the source code for Mozilla NSS in the file sslinfo.c in the structure
.nf
static const SSLCipherSuiteInfo suiteInfo[]
.fi
.RE
.TP
.B TLSCACertificateFile <filename>
@ -1118,32 +1110,11 @@ Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used. This directive is not supported
when using GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
database. If <path> contains a Mozilla NSS cert/key database and
CA cert files, OpenLDAP will use the cert/key database and will
ignore the CA cert files.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
.B slapd
server certificate.
When using Mozilla NSS, if using a cert/key database (specified with
TLSCACertificatePath), TLSCertificateFile specifies
the name of the certificate to use:
.nf
TLSCertificateFile Server-Cert
.fi
If using a token other than the internal built in token, specify the
token name first, followed by a colon:
.nf
TLSCertificateFile my hardware device:Server-Cert
.fi
Use certutil \-L to list the certificates by name:
.nf
certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B TLSCertificateKeyFile <filename>
Specifies the file that contains the
@ -1152,18 +1123,6 @@ server private key that matches the certificate stored in the
.B TLSCertificateFile
file. Currently, the private key must not be protected with a password, so
it is of critical importance that it is protected carefully.
When using Mozilla NSS, TLSCertificateKeyFile specifies the name of
a file that contains the password for the key for the certificate specified with
TLSCertificateFile. The modutil command can be used to turn off password
protection for the cert/key database. For example, if TLSCACertificatePath
specifies /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
.TP
.B TLSDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
@ -1176,15 +1135,12 @@ actual client or server authentication and provide no protection against
man-in-the-middle attacks.
You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B TLSECName <name>
Specify the name of a curve to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This is required to enable ECDHE algorithms in
OpenSSL. This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. This option is also
ignored for Mozilla NSS.
chosen in the GnuTLS ciphersuite specification.
.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
@ -1207,7 +1163,7 @@ This directive is ignored with GnuTLS.
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
This directive is ignored with GnuTLS and Mozilla NSS.
This directive is ignored with GnuTLS.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
@ -1249,7 +1205,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
parameter to be set. This directive is ignored with GnuTLS and Mozilla NSS.
parameter to be set. This directive is ignored with GnuTLS.
.B <level>
can be specified as one of the following keywords:
.RS
@ -1267,7 +1223,7 @@ Check the CRL for a whole certificate chain
.B TLSCRLFile <filename>
Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This directive is
only valid when using GnuTLS and Mozilla NSS.
only valid when using GnuTLS.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the specified backend. They are supported by every

4
libraries/libldap/Makefile.in
View File

@ -26,7 +26,7 @@ SRCS = bind.c open.c result.c error.c compare.c search.c \
request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \
init.c options.c print.c string.c util-int.c schema.c \
charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
tls2.c tls_o.c tls_g.c tls_m.c \
tls2.c tls_o.c tls_g.c \
turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
assertion.c deref.c ldifutil.c ldif.c fetch.c lbase64.c \
msctrl.c psearchctrl.c
@ -40,7 +40,7 @@ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \
request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
init.lo options.lo print.lo string.lo util-int.lo schema.lo \
charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
tls2.lo tls_o.lo tls_g.lo tls_m.lo \
tls2.lo tls_o.lo tls_g.lo \
turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
assertion.lo deref.lo ldifutil.lo ldif.lo fetch.lo lbase64.lo \
msctrl.lo psearchctrl.lo

2
libraries/libldap/tls2.c
View File

@ -43,9 +43,7 @@ static tls_impl *tls_imp = &ldap_int_tls_impl;
#endif /* HAVE_TLS */
#ifndef HAVE_MOZNSS
#define LDAP_USE_NON_BLOCKING_TLS
#endif
/* RFC2459 minimum required set of supported attribute types
* in a certificate DN

3403
libraries/libldap/tls_m.c
View File

File diff suppressed because it is too large Load Diff

4
libraries/libldap_r/Makefile.in
View File

@ -28,7 +28,7 @@ XXSRCS = apitest.c test.c \
request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \
init.c options.c print.c string.c util-int.c schema.c \
charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
tls2.c tls_o.c tls_g.c tls_m.c \
tls2.c tls_o.c tls_g.c \
turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
assertion.c deref.c ldifutil.c ldif.c fetch.c lbase64.c \
msctrl.c psearchctrl.c
@ -47,7 +47,7 @@ OBJS = threads.lo rdwr.lo tpool.lo rq.lo \
request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
init.lo options.lo print.lo string.lo util-int.lo schema.lo \
charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
tls2.lo tls_o.lo tls_g.lo tls_m.lo \
tls2.lo tls_o.lo tls_g.lo \
turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
assertion.lo deref.lo ldifutil.lo ldif.lo fetch.lo lbase64.lo \
msctrl.lo psearchctrl.lo