10 Jun
2011
10 Jun
'11
12:05 p.m.
On 06/10/2011 12:21 PM, Massimiliano Pala wrote:
Hi all,
are there examples on how to use STARTLS without requiring that the server's certificate is trusted ?
If the crypto api used in the ldap library is OpenSSL, that is easy:
- create a new ssl_ctx() with SSL_CTX_new()
- set my function as the verify function with SSL_CTX_set_verify()
- use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx
My problem is: when GnuTLS or NSS crypto libraries are used instead, how do I force the same behavior ? Or, if providing my own function is not possible, how do I force the STARTLS to go on also if it finds non-trusted server/CA certificates ?
man ldap.conf TLS_REQCERT <level> never, allow, try
Thanks, Max