On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR
> link to question on stackoverflow
> I'm having trouble verifying the correct behavior of my
> are the steps I am performing to verify correct operation:
> 1. I have sample code that uses openldap library and doing a start tls
> to a ldap server.
> 2. I have set the global option for ca cert directory and tlx context
> for the first time.
> 3. After that I did ldap init and ldap start tls to a server. This is
> succesful as expected.
> 4. I did an ldap_unbind_s
> 5. I deleted the CA cert that signed the ldap server's certificate
> from the ca cert directory of the client.
> 6. Again did ldap_init and ldap_start_tls_s .
> 7. I expected this call to fail , as I have removed the ca cert. But
> what I observe is that , server sends the certificate but start_tls is
> returning success.
If you feel this behavior is not described from the ldap_tls(3) and
ldap_get_option(3) manpages, then you should file an ITS asking that those
manpages be clarified.
As is, the only documented sure way to completely reset the SSL state is
to restart the process.
> ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
You used this option here, but not later? If you don't know what this
option does, why did you call it?