I have not been able to figure out how to dump more info on the encryption levels, certificate CN & expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to?
Eric Nichols wrote:
I have not been able to figure out how to dump more info on the encryption levels, certificate CN & expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to?
Have you try with "slapd -d trace" option ?
you can get more description of each debugging level from "man slapd.conf"
Jittinan Suwanrueangsri wrote:
Eric Nichols wrote:
I have not been able to figure out how to dump more info on the encryption levels, certificate CN & expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to?
Have you try with "slapd -d trace" option ?
you can get more description of each debugging level from "man slapd.conf"
I'm more interested in the lib calls. I'm trying to write a program to pull this information when I connect to an LDAP server over SSL.
Eric Nichols wrote:
Jittinan Suwanrueangsri wrote:
Eric Nichols wrote:
I have not been able to figure out how to dump more info on the encryption levels, certificate CN& expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to?
Have you try with "slapd -d trace" option ?
you can get more description of each debugging level from "man slapd.conf"
I'm more interested in the lib calls. I'm trying to write a program to pull this information when I connect to an LDAP server over SSL.
There are no public APIs for retrieving this info. You can retrieve the SSL session handle from the LDAP* handle using
SSL *s; ldap_get_option( ld, LDAP_OPT_X_TLS_SSL_CTX, &s );
You can get the encryption level using ldap_pvt_tls_get_strength( s );
You can get the DN of your certificate using struct berval dn; ldap_pvt_tls_get_my_dn( s, &dn, NULL, 0 );
You can get the DN of the peer certificate using ldap_pvt_tls_get_peer_dn( s, &dn, NULL, 0 );
Note that these functions are private to OpenLDAP's implementation, and are not specified in any API standard, and are subject to change without notice.
There is no libldap function for returning the cert expiration date; since the OpenSSL library already does cert validation checks we've never needed a function to pull this out on its own. To do anything else you'll have to use the OpenSSL functions directly.
Howard Chu wrote:
Eric Nichols wrote:
Jittinan Suwanrueangsri wrote:
Eric Nichols wrote:
I have not been able to figure out how to dump more info on the encryption levels, certificate CN& expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to?
Have you try with "slapd -d trace" option ?
you can get more description of each debugging level from "man slapd.conf"
I'm more interested in the lib calls. I'm trying to write a program to pull this information when I connect to an LDAP server over SSL.
There are no public APIs for retrieving this info. You can retrieve the SSL session handle from the LDAP* handle using
SSL *s; ldap_get_option( ld, LDAP_OPT_X_TLS_SSL_CTX, &s );You can get the encryption level using ldap_pvt_tls_get_strength( s );
You can get the DN of your certificate using struct berval dn; ldap_pvt_tls_get_my_dn( s, &dn, NULL, 0 );
You can get the DN of the peer certificate using ldap_pvt_tls_get_peer_dn( s, &dn, NULL, 0 );
Note that these functions are private to OpenLDAP's implementation, and are not specified in any API standard, and are subject to change without notice.
There is no libldap function for returning the cert expiration date; since the OpenSSL library already does cert validation checks we've never needed a function to pull this out on its own. To do anything else you'll have to use the OpenSSL functions directly.
Thanks Howard, That's exactly the information I am looking for. I have a customer with some rather specific requirements. The SSL session handle may be all that I need to get what I'm looking for. My guess is I can use the openssl API's to query the handle and get everything else. Many thanks for the detailed response.
Eric Nichols wrote:
I have not been able to figure out how to dump more info on the encryption levels, certificate CN & expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to?
Your rather general questions yields a rather general answer - I would guess that e.g. http://www.symas.com/blog/?page_id=74 and https://help.ubuntu.com/community/SecuringOpenLDAPConnections describes what you are looking for. Note that negotiating TLS with openssl is not yet enabled for LDAP, only for SMTP.
I haven't seen certificate information in any loglevel either, just through stracing the process.
If the purpose is to intercept the encryption mechanisms within the OpenLDAP code, I suggest you try the openldap-devel mailing list for more information.
Hope this helps.
openldap-software@openldap.org
-
Bjørn Ruberg -
Eric Nichols -
Howard Chu -
Jittinan Suwanrueangsri