Re: [Patch] Diagnostics for failing start-tls and HOST_NAME_MAX
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [Patch] Diagnostics for failing start-tls and HOST_NAME_MAX
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Mel Flynn <rflynn [at] acsalaska.net>
- Cc: Nslcd Users List <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: [Patch] Diagnostics for failing start-tls and HOST_NAME_MAX
- Date: Mon, 05 Mar 2012 23:08:32 +0100
On Sat, 2012-03-03 at 14:55 +0100, Mel Flynn wrote:
> attached are two patches. The first changes error output for failing
> TLS negotiations from:
>
> nslcd[44623]: [0041a7] <group(all)> ldap_start_tls_s() failed: Connect error
> (uri="ldap://192.168.2.104/";)
>
> to:
>
> nslcd[33891]: [0041a7] <group(all)> TLS negotiation with
> ldap://192.168.2.104/ failed: Connect error: TLS: hostname does not match CN
> in peer certificate.
>
> which allowed me to solve my issue.
Thanks. I didn't know about LDAP_OPT_DIAGNOSTIC_MESSAGE. I've made some
small modifications to your patch and committed it. It was indeed
frustrating to not have a proper way to debug TLS-related errors.
> The second one fixes compilation on systems where HOST_NAME_MAX is not
> defined, but which implement at least POSIX 200112 (which includes all
> supported FreeBSD versions).
Thanks for spotting this. However, the patch doesn't currently work
because nslcd/common.h ensures that HOST_NAME_MAX is always defined.
Secondly, since the value is allocated on the stack it shouldn't be
calculated on the fly. Lastly, also nslcd/pam.c and nslcd/common.c also
use HOST_NAME_MAX.
If you're willing to come up with a nicer way to handle this it would be
nice.
Thanks for your patches,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
