In addition, it would be nice to have an in-memory config setting API for the server CAs (if you already have these CAs in memory, you don't have to dump them to a file) instead of pointing it to a file or a directory...
-----Original Message----- From: Bin Lu Sent: Monday, September 22, 2014 10:51 AM To: 'Howard Chu'; openldap-technical@openldap.org Subject: RE: way to validate server certificate
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu