From blu@paloaltonetworks.com Tue Sep 23 21:20:51 2014
From: Bin Lu <blu@paloaltonetworks.com>
To: openldap-technical@openldap.org
Subject: RE: way to validate server certificate
Date: Tue, 23 Sep 2014 21:20:28 +0000
Message-ID: <841A051D8BD4144AA7B5AC63D97F9F0517943286@sjccmbxpw01p.paloaltonetworks.local>
In-Reply-To: <20140922212522.1be461e0@pink.avci.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6581753776457273947=="

--===============6581753776457273947==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Dieter,

I know how to do it using openssl lib functions. But I am looking for openlda=
p support.

Thanks,
-binlu

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces(a)openldap.org] O=
n Behalf Of Dieter Kl=C3=BCnter
Sent: Monday, September 22, 2014 12:25 PM
To: openldap-technical(a)openldap.org
Subject: Re: way to validate server certificate

<html>
Am Mon, 22 Sep 2014 17:51:02 +0000
schrieb Bin Lu <blu(a)paloaltonetworks.com>:

> Hi Howard,
>=20
> The RFCs specify the protocol, but not all releases implement the full=20
> protocol.
>=20
> I briefly went through the openLdap APIs but could not find the APIs=20
> to do server id check.  LDAP_OPT_X_TLS_CACERTFILE and=20
> LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I=20
> don't see how it does the hostname matching.
>=20
> If would be helpful if somebody could point me the actual API(s) that=20
> does this.

That depends on the included TLS library, for openSSL you might want to read =
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.openssl.org_docs_s=
sl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=3DAAIFaQ&c=3DV9IgWpI5PvzT=
w83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=3DOoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqxLj=
dc&m=3DS_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=3Du2oGRu4BAahLkAvOy4jLni=
KlVlJ1DI_Sv0fqx2SK_Y8&e=3D=20


-Dieter

>=20
> Thanks,
>=20
> -----Original Message-----
> From: Howard Chu [mailto:hyc(a)symas.com]
> Sent: Friday, September 19, 2014 8:10 PM
> To: Bin Lu; openldap-technical(a)openldap.org
> Subject: Re: way to validate server certificate
>=20
> Bin Lu wrote:
> > Hi,
> >
> > Does openldap provide APIs to do server certificate validation? Can=20
> > I retrieve the server cert from LDAP connection and do the=20
> > validation myself or by passing the trusted CA list openldap will do=20
> > it (in this case, how the hostname matching with the subject DN is=20
> > performed)?
>=20
> OpenLDAP libldap does server certificate validation according to
> RFC2830 and 4513. It would be a mistake to duplicate that=20
> functionality and do the validation yourself.
> >
> > Thanks a lot in advance,
> >
> > -blu
> >
>=20
>=20



--
Dieter Kl=C3=BCnter | Systemberatung
https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__sys4.de_&d=3DAAIFaQ&c=
=3DV9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=3DOoT5VLtV-av2TWtGCL3lvAfjqG=
LD0FLH3lQvyqxLjdc&m=3DS_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=3D58Dib58=
wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e=3D
GPG Key ID: E9ED159B
53=C2=B037'09,95"N
10=C2=B008'02,42"E


--===============6581753776457273947==--