On 06/10/2011 10:32 PM, Massimiliano Pala wrote:
to provide a better vision, I am trying to use openldap to connect to
and ignoring errors in authentication of the certificates. I am
working on a
In particular the code I wrote is like this:
if(crypto_api == LDAP_CRYPTO_API_OPENSSL)
// This Works..
SSL_CTX *ctx = NULL;
int opt_val = 0;
if(ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &opt_val) !=
/// ERROR if here (does not happen)
// This works till now
opt_val = LDAP_OPT_X_TLS_TRY;
if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) !=
if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) !=
m_error = ldap_start_tls_s(corePnt->m_ldap, NULL, NULL);
Note that m_error gets a -11...
On the server the output (-d 1) is:
connection_get(14): got connid=1007
connection_read(14): checking for input on id=1007
TLS: error: accept - force handshake failure: errno 11 - moznss error
TLS: can't accept: (unknown).
-5938 is 'end of file encountered' i.e.
the client just disconnected
I have no clue why this is not working.
Another thing which is interesting.. on Ubuntu I tried to change the
option to "allow" ... and the code works - but I can not have it
using the ldap_set_option().. (on Fedora 14/15 setting the option in the
ldap.conf file - in /etc/openldap/ - does not work..).
Try this, on fedora 14/15
LDAPTLS_REQCERT=never ldapsearch -x -d 1 -ZZ -H ldap://yourhost:yourport
-s base -b "" > output.log 2>&1
paste the output to fpaste.org
(please obscure any sensitive information
email the link to this list
On 06/10/2011 10:50 PM, Rich Megginson wrote:
> On Fri, Jun 10, 2011 at 4:19 PM, Massimiliano
> Pala<pala(a)isis.poly.edu> wrote:
>> Hi Philip, all,
>> thanks for the advice. I have changed the code.. and the option is set
>> correctly. Question, do you think it is safe to do this as a fallback:
>> if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) !=
>> if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) !=
>> /// Total Failure
>> Still.. although I set the option, I still get the -11 error when
>> trying to bind.
> What -11 error? Client or server? Can you run with -d 1 to get
> detailed trace information?
>> Is there any other option I have to set to "disable" certificate
>> verification for non-openssl crypto api ?
>> On 06/10/2011 05:23 PM, Philip Guenther wrote:
>>> Howard has already pointed out that the value must be an
>>> constant and not a string; I just wanted to add that in version 2.3
>>> earlier, that option (and most of the other TLS options) could only
>>> be set
>>> globally: ldap_set_option() would fail for them if the first argument
>>> wasn't NULL. So, make sure you're building against a current
>>> Philip Guenther
>> Massimiliano Pala, Ph.D.
>> Director, OpenCA Labs
>> Professor, NYU Poly