It certainly like it's treating the certs like slapd.conf: read once and remember.

Well done on testing this - someone else asked this a while back (although less technical).

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs@apollogrp.edu


From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: ctosgh <ctosgh@126.com>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Mon Sep 20 18:17:48 2010
Subject: Re:A LDAPS related issue

Seems nobody run into this issue??

 

At 2010-09-20 10:02:10,ctosgh <ctosgh@126.com> wrote:
Hi, folks
 
I am using the APIs from openldap and recently run into a problem which upset me.  Following is the framework of the function.
ldaps_func()
{
   LDAP* ld = NULL;
   char * uri =" ldaps://xxx.xxx.xxx:636";
   .....
   ldap_set_option(...);   //using LDAP v3
   ldap_set_option(...);   // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
   ldap_set_option(...);   // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/
   ldap_initialize(&ld, uri);
   .....
   ldap_simple_bind(.....);
   ldap_search_ext(...);
   ......
   ldap_unbind(ld);
   .....
   return 0;
}
Above function is called in a while loop to authenticate users to a LDAPS server when authentication request comes up.  This function works fine. BUT after one successful authentication, if I delete CA certificates of server's certificate under /tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been deleted.
Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate "certificate change".
Is the openssl library cache someting??
 
Any one has any ideas about this? I will really appreciate it.
 
Thanks,
Jacky



全国最低价,天天在家冲照片,24小时发货上门!



全国最低价,天天在家冲照片,24小时发货上门!


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.