From richton@nbcs.rutgers.edu Wed Sep 24 17:08:27 2014 From: Aaron Richton To: openldap-technical@openldap.org Subject: RE: way to validate server certificate Date: Wed, 24 Sep 2014 13:08:19 -0400 Message-ID: In-Reply-To: =?utf-8?q?=3C841A051D8BD4144AA7B5AC63D97F9F0517943286=40sjccmbx?= =?utf-8?q?pw01p=2Epaloaltonetworks=2Elocal=3E?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4350849412228474638==" --===============4350849412228474638== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Tue, 23 Sep 2014, Bin Lu wrote: > Dieter, > > I know how to do it using openssl lib functions. But I am looking for openl= dap support. OpenLDAP support for what? You've talked about standards used for=20 applications verifying subject names, configuration of CAs, and opened an=20 aside regarding in-memory CAs so far. verifying names: Howard's told you what specs libldap implements, the support is there.=20 Read the code if you don't believe him. configuring CAs/in-memory CAs: The TLS library providers can tell you what each of their libraries=20 implement. (And it's most definitely not OpenLDAP's job to duplicate what=20 the TLS libraries already provide...) You can find the related=20 libldap/slapd configuration directives in the appropriate man pages. These=20 are typically passed straight to the crypto libraries, though, so a=20 thorough understanding of your chosen crypto library is key. (Keep in mind=20 that OpenLDAP supports a compile-time choice of multiple crypto=20 providers.) > Thanks, > -binlu > > -----Original Message----- > From: openldap-technical [mailto:openldap-technical-bounces(a)openldap.org]= On Behalf Of Dieter Kl?nter > Sent: Monday, September 22, 2014 12:25 PM > To: openldap-technical(a)openldap.org > Subject: Re: way to validate server certificate > > > Am Mon, 22 Sep 2014 17:51:02 +0000 > schrieb Bin Lu : > >> Hi Howard, >> >> The RFCs specify the protocol, but not all releases implement the full >> protocol. >> >> I briefly went through the openLdap APIs but could not find the APIs >> to do server id check. LDAP_OPT_X_TLS_CACERTFILE and >> LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I >> don't see how it does the hostname matching. >> >> If would be helpful if somebody could point me the actual API(s) that >> does this. > > That depends on the included TLS library, for openSSL you might want to rea= d https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.openssl.org_docs= _ssl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=3DAAIFaQ&c=3DV9IgWpI5Pv= zTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=3DOoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqx= Ljdc&m=3DS_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=3Du2oGRu4BAahLkAvOy4jL= niKlVlJ1DI_Sv0fqx2SK_Y8&e=3D > > > -Dieter > >> >> Thanks, >> >> -----Original Message----- >> From: Howard Chu [mailto:hyc(a)symas.com] >> Sent: Friday, September 19, 2014 8:10 PM >> To: Bin Lu; openldap-technical(a)openldap.org >> Subject: Re: way to validate server certificate >> >> Bin Lu wrote: >>> Hi, >>> >>> Does openldap provide APIs to do server certificate validation? Can >>> I retrieve the server cert from LDAP connection and do the >>> validation myself or by passing the trusted CA list openldap will do >>> it (in this case, how the hostname matching with the subject DN is >>> performed)? >> >> OpenLDAP libldap does server certificate validation according to >> RFC2830 and 4513. It would be a mistake to duplicate that >> functionality and do the validation yourself. >>> >>> Thanks a lot in advance, >>> >>> -blu >>> >> >> > > > > -- > Dieter Kl?nter | Systemberatung > https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__sys4.de_&d=3DAAIFaQ&c= =3DV9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=3DOoT5VLtV-av2TWtGCL3lvAfjqG= LD0FLH3lQvyqxLjdc&m=3DS_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=3D58Dib58= wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e=3D > GPG Key ID: E9ED159B > 53?37'09,95"N > 10?08'02,42"E > > --===============4350849412228474638==--