Hi Rich,
to provide a better vision, I am trying to use openldap to connect to a server and ignoring errors in authentication of the certificates. I am working on a *client*.
In particular the code I wrote is like this:
ldap_initialize(&ld, url);
if(crypto_api == LDAP_CRYPTO_API_OPENSSL) { // This Works.. SSL_CTX *ctx = NULL;
... } else { int opt_val = 0;
if(ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &opt_val) != LDAP_OPT_SUCCESS) { /// ERROR if here (does not happen) }
// This works till now
opt_val = LDAP_OPT_X_TLS_TRY; if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) != LDAP_OPT_SUCCESS) { if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) != LDAP_OPT_SUCCESS) { // Error .. } }
m_error = ldap_start_tls_s(corePnt->m_ldap, NULL, NULL);
...
Note that m_error gets a -11...
On the server the output (-d 1) is:
connection_get(14): got connid=1007 connection_read(14): checking for input on id=1007 TLS: error: accept - force handshake failure: errno 11 - moznss error -5938 TLS: can't accept: (unknown).
I have no clue why this is not working.
Another thing which is interesting.. on Ubuntu I tried to change the TLS_CERTREQ option to "allow" ... and the code works - but I can not have it working by using the ldap_set_option().. (on Fedora 14/15 setting the option in the ldap.conf file - in /etc/openldap/ - does not work..).
Heeeeeellp!!! :D
Cheers, Max
On 06/10/2011 10:50 PM, Rich Megginson wrote:
On Fri, Jun 10, 2011 at 4:19 PM, Massimiliano Palapala@isis.poly.edu wrote:
Hi Philip, all,
thanks for the advice. I have changed the code.. and the option is set correctly. Question, do you think it is safe to do this as a fallback:
if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) != LDAP_OPT_SUCCESS) { if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) != LDAP_OPT_SUCCESS) { /// Total Failure } }Still.. although I set the option, I still get the -11 error when trying to bind.
What -11 error? Client or server? Can you run with -d 1 to get detailed trace information?
Is there any other option I have to set to "disable" certificate verification for non-openssl crypto api ?
Cheers, Max
On 06/10/2011 05:23 PM, Philip Guenther wrote: [..]
Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_* constant and not a string; I just wanted to add that in version 2.3 and earlier, that option (and most of the other TLS options) could only be set globally: ldap_set_option() would fail for them if the first argument wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly
On 06/10/2011 10:32 PM, Massimiliano Pala wrote:
Hi Rich,
to provide a better vision, I am trying to use openldap to connect to a server and ignoring errors in authentication of the certificates. I am working on a *client*.
In particular the code I wrote is like this:
ldap_initialize(&ld, url);
if(crypto_api == LDAP_CRYPTO_API_OPENSSL) { // This Works.. SSL_CTX *ctx = NULL;
...} else { int opt_val = 0;
if(ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &opt_val) !=LDAP_OPT_SUCCESS) { /// ERROR if here (does not happen) }
// This works till now opt_val = LDAP_OPT_X_TLS_TRY; if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) != LDAP_OPT_SUCCESS) { if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) != LDAP_OPT_SUCCESS) { // Error .. } } m_error = ldap_start_tls_s(corePnt->m_ldap, NULL, NULL); ...Note that m_error gets a -11...
On the server the output (-d 1) is:
connection_get(14): got connid=1007 connection_read(14): checking for input on id=1007 TLS: error: accept - force handshake failure: errno 11 - moznss error -5938 TLS: can't accept: (unknown).
-5938 is 'end of file encountered' i.e. the client just disconnected
I have no clue why this is not working.
Another thing which is interesting.. on Ubuntu I tried to change the TLS_CERTREQ option to "allow" ... and the code works - but I can not have it working by using the ldap_set_option().. (on Fedora 14/15 setting the option in the ldap.conf file - in /etc/openldap/ - does not work..).
Try this, on fedora 14/15
LDAPTLS_REQCERT=never ldapsearch -x -d 1 -ZZ -H ldap://yourhost:yourport -s base -b "" > output.log 2>&1
paste the output to fpaste.org (please obscure any sensitive information first)
email the link to this list
Heeeeeellp!!! :D
Cheers, Max
On 06/10/2011 10:50 PM, Rich Megginson wrote:
On Fri, Jun 10, 2011 at 4:19 PM, Massimiliano Palapala@isis.poly.edu wrote:
Hi Philip, all,
thanks for the advice. I have changed the code.. and the option is set correctly. Question, do you think it is safe to do this as a fallback:
if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) != LDAP_OPT_SUCCESS) { if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) != LDAP_OPT_SUCCESS) { /// Total Failure } }Still.. although I set the option, I still get the -11 error when trying to bind.
What -11 error? Client or server? Can you run with -d 1 to get detailed trace information?
Is there any other option I have to set to "disable" certificate verification for non-openssl crypto api ?
Cheers, Max
On 06/10/2011 05:23 PM, Philip Guenther wrote: [..]
Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_* constant and not a string; I just wanted to add that in version 2.3 and earlier, that option (and most of the other TLS options) could only be set globally: ldap_set_option() would fail for them if the first argument wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly
Hello Rich,
responses inline..
On 06/13/2011 10:30 AM, Rich Megginson wrote: [...]
LDAPTLS_REQCERT=never ldapsearch -x -d 1 -ZZ -H ldap://yourhost:yourport -s base -b "" > output.log 2>&1
I executed the command.. and it worked. I attach the output. Any help on how can I duplicate this behavior in my application ?
More specifically. When shall I set the option:
int opt_val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val)
Possibilities: - At startup with ld == NULL ? - Right after ldap_initialize(&ld, url) - i.e. before ldap_start_tls() ? - Elsewhere ?
Last but not least: shall I use ALLOW, TRY, or NEVER as the option for REQUIRE_CERT ?
Cheers, Max
On 06/14/2011 09:40 AM, Massimiliano Pala wrote:
Hello Rich,
responses inline..
On 06/13/2011 10:30 AM, Rich Megginson wrote: [...]
LDAPTLS_REQCERT=never ldapsearch -x -d 1 -ZZ -H ldap://yourhost:yourport -s base -b "" > output.log 2>&1
I executed the command.. and it worked. I attach the output. Any help on how can I duplicate this behavior in my application ?
More specifically. When shall I set the option:
int opt_val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val)
Possibilities:
- At startup with ld == NULL ?
- Right after ldap_initialize(&ld, url) - i.e. before ldap_start_tls() ?
- Elsewhere ?
I don't know. I suggest taking a look at the source code for ldapsearch - since that works, if you can do what it does, you should be good to go: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=clients/too... and http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=clients/too...
Last but not least: shall I use ALLOW, TRY, or NEVER as the option for REQUIRE_CERT ?
Cheers, Max
openldap-technical@openldap.org
-
Massimiliano Pala -
Rich Megginson