From blu@paloaltonetworks.com Wed Sep 24 23:58:16 2014
From: Bin Lu <blu@paloaltonetworks.com>
To: openldap-technical@openldap.org
Subject: RE: way to validate server certificate
Date: Wed, 24 Sep 2014 23:57:47 +0000
Message-ID: <841A051D8BD4144AA7B5AC63D97F9F0517943846@sjccmbxpw01p.paloaltonetworks.local>
In-Reply-To: <alpine.SOC.2.02.1409241248070.4827@toolbox.rutgers.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8647367837860920264=="

--===============8647367837860920264==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Support for "server cert validation", and was looking for the API(s) that doe=
s that, like would setting LDAP_OPT_X_TLS_CACERTFILE option (and/or combined =
with LDAP_OPT_X_TLS_DEMAND), etc.  It would be really nice to have a callback=
 API to use your own validation logic (to handle some special cases), maybe i=
t already exists just I don't know.

There is no reason I would not believe anybody's answer, but "yes/no + diggin=
g out the code yourself" obviously is not the answer I am looking for.=20

My in-memory setting API question is "if LDAP_OPT_X_TLS_CACERTFILE is the onl=
y way provided to set the trusted CAs", then it would be better to have an al=
ternative API to set it with in-memory data (X509 etc), as it's less efficien=
t to read the file again. =20

Regards,
-binlu

-----Original Message-----
From: Aaron Richton [mailto:richton(a)nbcs.rutgers.edu]=20
Sent: Wednesday, September 24, 2014 10:08 AM
To: Bin Lu
Cc: Dieter Kl=C3=BCnter; openldap-technical(a)openldap.org
Subject: RE: way to validate server certificate

On Tue, 23 Sep 2014, Bin Lu wrote:

> Dieter,
>
> I know how to do it using openssl lib functions. But I am looking for openl=
dap support.

OpenLDAP support for what? You've talked about standards used for application=
s verifying subject names, configuration of CAs, and opened an aside regardin=
g in-memory CAs so far.

verifying names:
Howard's told you what specs libldap implements, the support is there.=20
Read the code if you don't believe him.

configuring CAs/in-memory CAs:
The TLS library providers can tell you what each of their libraries implement=
. (And it's most definitely not OpenLDAP's job to duplicate what the TLS libr=
aries already provide...) You can find the related libldap/slapd configuratio=
n directives in the appropriate man pages. These are typically passed straigh=
t to the crypto libraries, though, so a thorough understanding of your chosen=
 crypto library is key. (Keep in mind that OpenLDAP supports a compile-time c=
hoice of multiple crypto
providers.)


> Thanks,
> -binlu
>
> -----Original Message-----
> From: openldap-technical=20
> [mailto:openldap-technical-bounces(a)openldap.org] On Behalf Of Dieter=20
> Kl?nter
> Sent: Monday, September 22, 2014 12:25 PM
> To: openldap-technical(a)openldap.org
> Subject: Re: way to validate server certificate
>
> <html>
> Am Mon, 22 Sep 2014 17:51:02 +0000
> schrieb Bin Lu <blu(a)paloaltonetworks.com>:
>
>> Hi Howard,
>>
>> The RFCs specify the protocol, but not all releases implement the=20
>> full protocol.
>>
>> I briefly went through the openLdap APIs but could not find the APIs=20
>> to do server id check.  LDAP_OPT_X_TLS_CACERTFILE and=20
>> LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I=20
>> don't see how it does the hostname matching.
>>
>> If would be helpful if somebody could point me the actual API(s) that=20
>> does this.
>
> That depends on the included TLS library, for openSSL you might want=20
> to read=20
> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.openssl.org_d
> ocs_ssl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=3DAAIFaQ&c=3DV9Ig
> WpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=3DOoT5VLtV-av2TWtGCL3lvAfjqGLD
> 0FLH3lQvyqxLjdc&m=3DS_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=3Du2oGRu
> 4BAahLkAvOy4jLniKlVlJ1DI_Sv0fqx2SK_Y8&e=3D
>
>
> -Dieter
>
>>
>> Thanks,
>>
>> -----Original Message-----
>> From: Howard Chu [mailto:hyc(a)symas.com]
>> Sent: Friday, September 19, 2014 8:10 PM
>> To: Bin Lu; openldap-technical(a)openldap.org
>> Subject: Re: way to validate server certificate
>>
>> Bin Lu wrote:
>>> Hi,
>>>
>>> Does openldap provide APIs to do server certificate validation? Can=20
>>> I retrieve the server cert from LDAP connection and do the=20
>>> validation myself or by passing the trusted CA list openldap will do=20
>>> it (in this case, how the hostname matching with the subject DN is=20
>>> performed)?
>>
>> OpenLDAP libldap does server certificate validation according to
>> RFC2830 and 4513. It would be a mistake to duplicate that=20
>> functionality and do the validation yourself.
>>>
>>> Thanks a lot in advance,
>>>
>>> -blu
>>>
>>
>>
>
>
>
> --
> Dieter Kl?nter | Systemberatung
> https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__sys4.de_&d=3DAAIFaQ&
> c=3DV9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=3DOoT5VLtV-av2TWtGCL3lvA
> fjqGLD0FLH3lQvyqxLjdc&m=3DS_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=3D
> 58Dib58wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e=3D
> GPG Key ID: E9ED159B
> 53?37'09,95"N
> 10?08'02,42"E
>
>


--===============8647367837860920264==--