11:11 p.m.
On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR <somasekhar44(a)gmail.com> wrote:
link to question on stackoverflow
<http://stackoverflow.com/questions/25457034/starttls-succesful-even-after...
I'm having trouble verifying the correct behavior of my software. Here are
the steps I am performing to verify correct operation:
1. I have sample code that uses openldap library and doing a start tls
to a ldap server.
2. I have set the global option for ca cert directory and tlx context
for the first time.
3. After that I did ldap init and ldap start tls to a server. This is
succesful as expected.
4. I did an ldap_unbind_s
5. I deleted the CA cert that signed the ldap server's certificate
from the ca cert directory of the client.
6. Again did ldap_init and ldap_start_tls_s .
7. I expected this call to fail , as I have removed the ca cert. But
what I observe is that , server sends the certificate but start_tls is
returning success.
I am using openldap 2.4 with libssl.0.9.8
LDAP *ld;int desired_version=3;
if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) {
printf("ldap_init failed\n");
exit(0);}
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>");
if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed.\n");
exit(0);}
...... <do bind and search>...
ldap_unbind_s(ld); ...
// DELETE the CA certificate from the ca dir. // Try to do start tls again
if ((ld = ldap_init(hostname, server_port)) == NULL ) {
printf("ldap_init failed , after deleting CA\n");
exit(0);}
// This goes fine even after deleting the CAif (ldap_start_tls_s(ld, NULL, NULL) !=
LDAP_SUCCESS){
printf("start tls failed after deleting CA.\n");
exit(0);}
--
Thanks&Regards,
SomaSekhar.
--
Thanks&Regards,
SomaSekhar.
11:44 p.m.
On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR
<somasekhar44(a)gmail.com> wrote:
> link to question on stackoverflow
...
> I'm having trouble verifying the correct behavior of my
software. Here
> are the steps I am performing to verify correct operation:
>
> 1. I have sample code that uses openldap library and doing a start tls
> to a ldap server.
> 2. I have set the global option for ca cert directory and tlx context
> for the first time.
> 3. After that I did ldap init and ldap start tls to a server. This is
> succesful as expected.
> 4. I did an ldap_unbind_s
> 5. I deleted the CA cert that signed the ldap server's certificate
> from the ca cert directory of the client.
> 6. Again did ldap_init and ldap_start_tls_s .
> 7. I expected this call to fail , as I have removed the ca cert. But
> what I observe is that , server sends the certificate but start_tls is
> returning success.
If you feel this behavior is not described from the ldap_tls(3) and
ldap_get_option(3) manpages, then you should file an ITS asking that those
manpages be clarified.
As is, the only documented sure way to completely reset the SSL state is
to restart the process.
...
> ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
You used this option here, but not later? If you don't know what this
option does, why did you call it?
Philip
midnight
Hi Philip ,
Thanks for the quick response. As far as I know , LDAP_OPT_X_TLS_CTX will
set the SSL_CTX pointer. I tried to set this opition to NULL before I did a
start tls for the second time. I observed process crash at this time .
. From what you are saying , I understood that SSL_CTX had conext from
which the ca cert is verified for the second time. Please correct me if I
am wrong
On Thu, Aug 28, 2014 at 12:14 PM, Philip Guenther <pguenther(a)proofpoint.com>
wrote:
On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
> On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR <somasekhar44(a)gmail.com>
wrote:
> > link to question on stackoverflow
...
> > I'm having trouble verifying the correct behavior of my software. Here
> > are the steps I am performing to verify correct operation:
> >
> > 1. I have sample code that uses openldap library and doing a start
tls
> > to a ldap server.
> > 2. I have set the global option for ca cert directory and tlx
context
> > for the first time.
> > 3. After that I did ldap init and ldap start tls to a server. This
is
> > succesful as expected.
> > 4. I did an ldap_unbind_s
> > 5. I deleted the CA cert that signed the ldap server's certificate
> > from the ca cert directory of the client.
> > 6. Again did ldap_init and ldap_start_tls_s .
> > 7. I expected this call to fail , as I have removed the ca cert. But
> > what I observe is that , server sends the certificate but start_tls
is
> > returning success.
If you feel this behavior is not described from the ldap_tls(3) and
ldap_get_option(3) manpages, then you should file an ITS asking that those
manpages be clarified.
As is, the only documented sure way to completely reset the SSL state is
to restart the process.
...
> > ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
You used this option here, but not later? If you don't know what this
option does, why did you call it?
Philip
--
Thanks&Regards,
SomaSekhar.
12:31 a.m.
On Thu, 28 Aug 2014, SOMA SEKHAR wrote:
Thanks for the quick response. As far as I know ,
LDAP_OPT_X_TLS_CTX
will set the SSL_CTX pointer. I tried to set this opition to NULL before
I did a start tls for the second time. I observed process crash at this
time .
Did you file an ITS about that?
. From what you are saying , I understood that SSL_CTX had conext
from
which the ca cert is verified for the second time. Please correct me if
I am wrong
That's my *guess*, but I may be completely wrong. I no longer have a need
to "JUST MAKE IT WORK" for my job, so I'm not going to waste my time
reading the openldap source to find a workaround for the stuff that the
openldap developers aren't going to stand behind by documenting.
Philip Guenther
12:40 a.m.
Thanks Philip. I am new to openldap and openssl. I will check my code once
again and try to file an ITS .
Thanks again. This is of great help.
On Thu, Aug 28, 2014 at 1:01 PM, Philip Guenther <pguenther(a)proofpoint.com>
wrote:
On Thu, 28 Aug 2014, SOMA SEKHAR wrote:
> Thanks for the quick response. As far as I know , LDAP_OPT_X_TLS_CTX
> will set the SSL_CTX pointer. I tried to set this opition to NULL before
> I did a start tls for the second time. I observed process crash at this
> time .
Did you file an ITS about that?
> . From what you are saying , I understood that SSL_CTX had conext from
> which the ca cert is verified for the second time. Please correct me if
> I am wrong
That's my *guess*, but I may be completely wrong. I no longer have a need
to "JUST MAKE IT WORK" for my job, so I'm not going to waste my time
reading the openldap source to find a workaround for the stuff that the
openldap developers aren't going to stand behind by documenting.
Philip Guenther
--
Thanks&Regards,
SomaSekhar.
8:56 a.m.
Philip Guenther wrote:
On Thu, 28 Aug 2014, SOMA SEKHAR wrote:
> . From what you are saying , I understood that SSL_CTX had conext from
> which the ca cert is verified for the second time. Please correct me if
> I am wrong
That's my *guess*, but I may be completely wrong. I no longer have a need
to "JUST MAKE IT WORK" for my job, so I'm not going to waste my time
reading the openldap source to find a workaround for the stuff that the
openldap developers aren't going to stand behind by documenting.
We aren't going to spend our time documenting what individual TLS libraries
do. With various distros using GnuTLS or MozNSS, that's clearly beyond our scope.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3208
days inactive
3208
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Howard Chu -
Philip Guenther -
SOMA SEKHAR