Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
Thanks a lot in advance, -blu
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu blu@paloaltonetworks.com:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
That depends on the included TLS library, for openSSL you might want to read https://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS
-Dieter
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
Dieter,
I know how to do it using openssl lib functions. But I am looking for openldap support.
Thanks, -binlu
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Klünter Sent: Monday, September 22, 2014 12:25 PM To: openldap-technical@openldap.org Subject: Re: way to validate server certificate
<html> Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu blu@paloaltonetworks.com:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
That depends on the included TLS library, for openSSL you might want to read https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_ss...
-Dieter
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
-- Dieter Klünter | Systemberatung https://urldefense.proofpoint.com/v2/url?u=http-3A__sys4.de_&d=AAIFaQ&am... GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
On Tue, 23 Sep 2014, Bin Lu wrote:
Dieter,
I know how to do it using openssl lib functions. But I am looking for openldap support.
OpenLDAP support for what? You've talked about standards used for applications verifying subject names, configuration of CAs, and opened an aside regarding in-memory CAs so far.
verifying names: Howard's told you what specs libldap implements, the support is there. Read the code if you don't believe him.
configuring CAs/in-memory CAs: The TLS library providers can tell you what each of their libraries implement. (And it's most definitely not OpenLDAP's job to duplicate what the TLS libraries already provide...) You can find the related libldap/slapd configuration directives in the appropriate man pages. These are typically passed straight to the crypto libraries, though, so a thorough understanding of your chosen crypto library is key. (Keep in mind that OpenLDAP supports a compile-time choice of multiple crypto providers.)
Thanks, -binlu
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kl?nter Sent: Monday, September 22, 2014 12:25 PM To: openldap-technical@openldap.org Subject: Re: way to validate server certificate
<html> Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu <blu@paloaltonetworks.com>:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
That depends on the included TLS library, for openSSL you might want to read https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_ss...
-Dieter
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
-- Dieter Kl?nter | Systemberatung https://urldefense.proofpoint.com/v2/url?u=http-3A__sys4.de_&d=AAIFaQ&am... GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
I think he's hoping to utilize the same code used in OpenLDAP to do verification outside of 'doing everything else OpenLDAP does'. As in: use the code/methods OpenLDAP uses exposed in a manner he might use them to test/verify certs/etc.
I could be really wrong though.
- chris
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Aaron Richton Sent: Wednesday, September 24, 2014 10:08 AM To: Bin Lu Cc: Dieter Klünter; openldap-technical@openldap.org Subject: RE: way to validate server certificate
On Tue, 23 Sep 2014, Bin Lu wrote:
Dieter,
I know how to do it using openssl lib functions. But I am looking for openldap support.
OpenLDAP support for what? You've talked about standards used for applications verifying subject names, configuration of CAs, and opened an aside regarding in-memory CAs so far.
verifying names: Howard's told you what specs libldap implements, the support is there. Read the code if you don't believe him.
configuring CAs/in-memory CAs: The TLS library providers can tell you what each of their libraries implement. (And it's most definitely not OpenLDAP's job to duplicate what the TLS libraries already provide...) You can find the related libldap/slapd configuration directives in the appropriate man pages. These are typically passed straight to the crypto libraries, though, so a thorough understanding of your chosen crypto library is key. (Keep in mind that OpenLDAP supports a compile-time choice of multiple crypto providers.)
Thanks, -binlu
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kl?nter Sent: Monday, September 22, 2014 12:25 PM To: openldap-technical@openldap.org Subject: Re: way to validate server certificate
<html> Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu <blu@paloaltonetworks.com>:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
That depends on the included TLS library, for openSSL you might want to read https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_d ocs_ssl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=AAIFaQ&c=V9Ig WpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD 0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=u2oGRu 4BAahLkAvOy4jLniKlVlJ1DI_Sv0fqx2SK_Y8&e=
-Dieter
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
-- Dieter Kl?nter | Systemberatung https://urldefense.proofpoint.com/v2/url?u=http-3A__sys4.de_&d=AAIFaQ&am... c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvA fjqGLD0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s= 58Dib58wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e= GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Support for "server cert validation", and was looking for the API(s) that does that, like would setting LDAP_OPT_X_TLS_CACERTFILE option (and/or combined with LDAP_OPT_X_TLS_DEMAND), etc. It would be really nice to have a callback API to use your own validation logic (to handle some special cases), maybe it already exists just I don't know.
There is no reason I would not believe anybody's answer, but "yes/no + digging out the code yourself" obviously is not the answer I am looking for.
My in-memory setting API question is "if LDAP_OPT_X_TLS_CACERTFILE is the only way provided to set the trusted CAs", then it would be better to have an alternative API to set it with in-memory data (X509 etc), as it's less efficient to read the file again.
Regards, -binlu
-----Original Message----- From: Aaron Richton [mailto:richton@nbcs.rutgers.edu] Sent: Wednesday, September 24, 2014 10:08 AM To: Bin Lu Cc: Dieter Klünter; openldap-technical@openldap.org Subject: RE: way to validate server certificate
On Tue, 23 Sep 2014, Bin Lu wrote:
Dieter,
I know how to do it using openssl lib functions. But I am looking for openldap support.
OpenLDAP support for what? You've talked about standards used for applications verifying subject names, configuration of CAs, and opened an aside regarding in-memory CAs so far.
verifying names: Howard's told you what specs libldap implements, the support is there. Read the code if you don't believe him.
configuring CAs/in-memory CAs: The TLS library providers can tell you what each of their libraries implement. (And it's most definitely not OpenLDAP's job to duplicate what the TLS libraries already provide...) You can find the related libldap/slapd configuration directives in the appropriate man pages. These are typically passed straight to the crypto libraries, though, so a thorough understanding of your chosen crypto library is key. (Keep in mind that OpenLDAP supports a compile-time choice of multiple crypto providers.)
Thanks, -binlu
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kl?nter Sent: Monday, September 22, 2014 12:25 PM To: openldap-technical@openldap.org Subject: Re: way to validate server certificate
<html> Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu <blu@paloaltonetworks.com>:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
That depends on the included TLS library, for openSSL you might want to read https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_d ocs_ssl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=AAIFaQ&c=V9Ig WpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD 0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=u2oGRu 4BAahLkAvOy4jLniKlVlJ1DI_Sv0fqx2SK_Y8&e=
-Dieter
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
-- Dieter Kl?nter | Systemberatung https://urldefense.proofpoint.com/v2/url?u=http-3A__sys4.de_&d=AAIFaQ&am... c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvA fjqGLD0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s= 58Dib58wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e= GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
Bin Lu wrote:
Support for "server cert validation", and was looking for the API(s) that does that, like would setting LDAP_OPT_X_TLS_CACERTFILE option (and/or combined with LDAP_OPT_X_TLS_DEMAND), etc. It would be really nice to have a callback API to use your own validation logic (to handle some special cases), maybe it already exists just I don't know.
One option is maybe to make the connection and initialize the SSL context yourself and use ldap_init_fd(). This only works for LDAPS though.
In git master there's already code to retrieve the server cert by calling ldap_get_option(LDAP_OPT_X_TLS_PEERCERT) and do whatever your want with it. I guess this won't appear in RE24.
Ciao, Michael.
Bin Lu wrote:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
All releases of OpenLDAP do, and have done for at least the past decade.
Unfortunately that's not the answer I am looking for ...
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, September 22, 2014 10:16 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
<html> Bin Lu wrote:
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
All releases of OpenLDAP do, and have done for at least the past decade.
In addition, it would be nice to have an in-memory config setting API for the server CAs (if you already have these CAs in memory, you don't have to dump them to a file) instead of pointing it to a file or a directory...
-----Original Message----- From: Bin Lu Sent: Monday, September 22, 2014 10:51 AM To: 'Howard Chu'; openldap-technical@openldap.org Subject: RE: way to validate server certificate
Hi Howard,
The RFCs specify the protocol, but not all releases implement the full protocol.
I briefly went through the openLdap APIs but could not find the APIs to do server id check. LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching.
If would be helpful if somebody could point me the actual API(s) that does this.
Thanks,
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, September 19, 2014 8:10 PM To: Bin Lu; openldap-technical@openldap.org Subject: Re: way to validate server certificate
Bin Lu wrote:
Hi,
Does openldap provide APIs to do server certificate validation? Can I retrieve the server cert from LDAP connection and do the validation myself or by passing the trusted CA list openldap will do it (in this case, how the hostname matching with the subject DN is performed)?
OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
Thanks a lot in advance,
-blu
openldap-technical@openldap.org
-
Aaron Richton -
Bin Lu -
Chris Jacobs -
Dieter Klünter -
Howard Chu -
Michael Ströder