Hi Philip , Thanks for the quick response. As far as I know , LDAP_OPT_X_TLS_CTX will set the SSL_CTX pointer. I tried to set this opition to NULL before I did a start tls for the second time. I observed process crash at this time .
. From what you are saying , I understood that SSL_CTX had conext from which the ca cert is verified for the second time. Please correct me if I am wrong
On Thu, Aug 28, 2014 at 12:14 PM, Philip Guenther pguenther@proofpoint.com wrote:
On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR somasekhar44@gmail.com
wrote:
link to question on stackoverflow
...
I'm having trouble verifying the correct behavior of my software. Here are the steps I am performing to verify correct operation:
- I have sample code that uses openldap library and doing a start
tls
to a ldap server. 2. I have set the global option for ca cert directory and tlx
context
for the first time. 3. After that I did ldap init and ldap start tls to a server. This
is
succesful as expected. 4. I did an ldap_unbind_s 5. I deleted the CA cert that signed the ldap server's certificate from the ca cert directory of the client. 6. Again did ldap_init and ldap_start_tls_s . 7. I expected this call to fail , as I have removed the ca cert. But what I observe is that , server sends the certificate but start_tls
is
returning success.
If you feel this behavior is not described from the ldap_tls(3) and ldap_get_option(3) manpages, then you should file an ITS asking that those manpages be clarified.
As is, the only documented sure way to completely reset the SSL state is to restart the process.
...
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
You used this option here, but not later? If you don't know what this option does, why did you call it?
Philip