10:37 p.m.
Hi all,
I have a little problem. I am implementing an application that uses the
OpenLDAP libraries. Until not too much time ago, linking with OpenSSL was
sufficiently safe (on almost every Linux distros) and providing my own
verification function through the SSL_CTX (by using the ldap_set_option(m_ldap,
LDAP_OPT_SERVER_CERTIFICATE, _my_verify)) was easy.
Now, Linux distros started to use GnuTLS, NSS, and OpenSSL as the crypto
API.
My question is: how do I develop an application that when deployed on different
systems might need to use functions and data structures from different crypto-api
(e.g., when I distribute the binaries of my app) ?
How can I retrieve that info *at runtime* (I'd like my binaries to be compatible) ?
At least, is there a function that allows me to know which crypto APIs are
expected by libldap_r (so that I don't pass in the wrong data structure
since it is a (void *)) ? Or at least, is there a way to set/get options so that
I would know which API is in use ?
Thanks,
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
2:15 a.m.
Massimiliano Pala wrote:
Hi all,
I have a little problem. I am implementing an application that uses the
OpenLDAP libraries. Until not too much time ago, linking with OpenSSL was
sufficiently safe (on almost every Linux distros) and providing my own
verification function through the SSL_CTX (by using the ldap_set_option(m_ldap,
LDAP_OPT_SERVER_CERTIFICATE, _my_verify)) was easy.
Now, Linux distros started to use GnuTLS, NSS, and OpenSSL as the crypto
API.
My question is: how do I develop an application that when deployed on different
systems might need to use functions and data structures from different crypto-api
(e.g., when I distribute the binaries of my app) ?
How can I retrieve that info *at runtime* (I'd like my binaries to be compatible) ?
At least, is there a function that allows me to know which crypto
APIs are
expected by libldap_r (so that I don't pass in the wrong data structure
since it is a (void *)) ? Or at least, is there a way to set/get options so that
I would know which API is in use ?
Good question. The implementation name is present in the library but there is
no option to retrieve it. Unfortunately it was deleted from the earlier
version of the new TLS code (which allowed the TLS implementation to be
dynamically selected at runtime). I've added the option back to the git
master, but it's a bit late to help your immediate problem.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6:38 a.m.
Hi Howard,
thanks for the quick answer! Unfortunately I will have to deal with a lot of
issues with distributing my libraries before the fix can really be used... I
notice that I can check if a lib has been compiled with OpenSSL by tying to
set the LDAP_OPT_X_TLS_CRLCHECK, but there are no options specific for GnuTLS
or NSS that I can use for that purpose.. Any idea there ?
Also, what is the name of the new option you just committed ?
Thanks,
Max
On 06/10/2011 05:15 AM, Howard Chu wrote:
[...]
Good question. The implementation name is present in the library but
there is no option to
retrieve it. Unfortunately it was deleted from the earlier version of the new TLS code
(which allowed the TLS implementation to be dynamically selected at runtime). I've
added
the option back to the git master, but it's a bit late to help your immediate
problem.
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
11:26 a.m.
New subject: Linking Clients::which Crypto API ? (SOLVED)
Hello All,
if any of you are interested how to solve the problem with the current
version of the API, here's the solution:
1. Define the following in your code
typedef struct tls_impl {
const char *ti_name;
} tls_impl;
extern tls_impl ldap_int_tls_impl;
2. Now check the ti_name to discover which crypto lib has been linked:
if(strncmp(ldap_int_tls_impl.ti_name, "MozNSS", 6) == 0)
{
// NSS
}
else if (strncmp(ldap_int_tls_impl.ti_name, "GnuTLS", 6) == 0)
{
// GnuTLS
}
else if (strncmp(ldap_int_tls_impl.ti_name, "OpenSSL", 7) == 0)
{
// OpenSSL
}
else
{
// Unknown
}
I hope this will help other people in building more portable binaries... :D
Cheers,
Max
On 06/10/2011 01:37 AM, Massimiliano Pala wrote:
Hi all,
I have a little problem. I am implementing an application that uses the
OpenLDAP libraries. Until not too much time ago, linking with OpenSSL was
sufficiently safe (on almost every Linux distros) and providing my own
verification function through the SSL_CTX (by using the ldap_set_option(m_ldap,
LDAP_OPT_SERVER_CERTIFICATE, _my_verify)) was easy.
Now, Linux distros started to use GnuTLS, NSS, and OpenSSL as the crypto
API.
My question is: how do I develop an application that when deployed on different
systems might need to use functions and data structures from different crypto-api
(e.g., when I distribute the binaries of my app) ?
How can I retrieve that info *at runtime* (I'd like my binaries to be compatible) ?
At least, is there a function that allows me to know which crypto APIs are
expected by libldap_r (so that I don't pass in the wrong data structure
since it is a (void *)) ? Or at least, is there a way to set/get options so that
I would know which API is in use ?
Thanks,
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
4:27 p.m.
New subject: Linking Clients::which Crypto API ? (SOLVED)
Massimiliano Pala wrote:
Hello All,
if any of you are interested how to solve the problem with the current
version of the API, here's the solution:
This worked for you, today. You're using a libldap-internal data structure
though; it will not work for everyone across all platforms and it may not even
continue to work for you tomorrow.
1. Define the following in your code
typedef struct tls_impl {
const char *ti_name;
} tls_impl;
extern tls_impl ldap_int_tls_impl;
2. Now check the ti_name to discover which crypto lib has been linked:
if(strncmp(ldap_int_tls_impl.ti_name, "MozNSS", 6) == 0)
{
// NSS
}
else if (strncmp(ldap_int_tls_impl.ti_name, "GnuTLS", 6) == 0)
{
// GnuTLS
}
else if (strncmp(ldap_int_tls_impl.ti_name, "OpenSSL", 7) == 0)
{
// OpenSSL
}
else
{
// Unknown
}
I hope this will help other people in building more portable binaries... :D
Cheers,
Max
On 06/10/2011 01:37 AM, Massimiliano Pala wrote:
> Hi all,
>
> I have a little problem. I am implementing an application that uses the
> OpenLDAP libraries. Until not too much time ago, linking with OpenSSL was
> sufficiently safe (on almost every Linux distros) and providing my own
> verification function through the SSL_CTX (by using the ldap_set_option(m_ldap,
> LDAP_OPT_SERVER_CERTIFICATE, _my_verify)) was easy.
>
> Now, Linux distros started to use GnuTLS, NSS, and OpenSSL as the crypto
> API.
>
> My question is: how do I develop an application that when deployed on different
> systems might need to use functions and data structures from different crypto-api
> (e.g., when I distribute the binaries of my app) ?
>
> How can I retrieve that info *at runtime* (I'd like my binaries to be compatible)
?
>
> At least, is there a function that allows me to know which crypto APIs are
> expected by libldap_r (so that I don't pass in the wrong data structure
> since it is a (void *)) ? Or at least, is there a way to set/get options so that
> I would know which API is in use ?
>
> Thanks,
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8:27 a.m.
New subject: Linking Clients::which Crypto API ? (SOLVED)
Hui Howard,
I know this is just an hack, and I don't expect it to work for long, but it is
the only solution I could find today that allowed me to distribute binaries that
are capable of working with openldap libraries without crashing when STARTLS is
executed.
I still have not been able to fix the certificate validation issue on non-openssl
linked libs (eg., with NSS - Fedora; or GnuTLS - Ubuntu;).
Still working on it..
Cheers,
Max
On 06/13/2011 07:27 PM, Howard Chu wrote:
[...]
This worked for you, today. You're using a libldap-internal data
structure though; it will
not work for everyone across all platforms and it may not even continue to work for you
tomorrow.
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
4375
days inactive
4379
days old
openldap-technical@openldap.org
5 comments
2 participants
participants (2)
-
Howard Chu -
Massimiliano Pala