Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu blu@paloaltonetworks.com:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
That depends on the included TLS library, for openSSL you might want to read https://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS
-Dieter
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu