RSS feed

Re: [Patch] Diagnostics for failing start-tls and HOST_NAME_MAX

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [Patch] Diagnostics for failing start-tls and HOST_NAME_MAX

On Sat, 2012-03-03 at 14:55 +0100, Mel Flynn wrote:
> attached are two patches. The first changes error output for failing
> TLS negotiations from:
> nslcd[44623]: [0041a7] <group(all)> ldap_start_tls_s() failed: Connect error 
> (uri="ldap://";)
> to:
> nslcd[33891]: [0041a7] <group(all)> TLS negotiation with 
> ldap:// failed: Connect error: TLS: hostname does not match CN 
> in peer certificate.
> which allowed me to solve my issue.

Thanks. I didn't know about LDAP_OPT_DIAGNOSTIC_MESSAGE. I've made some
small modifications to your patch and committed it. It was indeed
frustrating to not have a proper way to debug TLS-related errors.

> The second one fixes compilation on systems where HOST_NAME_MAX is not
> defined, but which implement at least POSIX 200112 (which includes all
> supported FreeBSD versions).

Thanks for spotting this. However, the patch doesn't currently work
because nslcd/common.h ensures that HOST_NAME_MAX is always defined.
Secondly, since the value is allocated on the stack it shouldn't be
calculated on the fly. Lastly, also nslcd/pam.c and nslcd/common.c also

If you're willing to come up with a nicer way to handle this it would be

Thanks for your patches,

-- arthur - - --
To unsubscribe send an email to or see