michael@stroeder.com wrote:

Kurt Zeilenga wrote:

...

Why not just get it from TLS?

That does require an #ifdef <which TLS implementation> mess in the client. libldap already has that.

What exactly do you mean?

In OpenSSL, SSL_get_peer_certificate().

I note that it might also or instead make sense to ask for the cert chain - OpenSSL SSL_get_peer_cert_chain(). Which quickly dives into how many other TLS session attributes it would make sense to kindly provide an LDAP API interface to...

Hallvard