Hi all,
are there examples on how to use STARTLS without requiring that the server's certificate is trusted ?
If the crypto api used in the ldap library is OpenSSL, that is easy: - create a new ssl_ctx() with SSL_CTX_new() - set my function as the verify function with SSL_CTX_set_verify() - use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx
My problem is: when GnuTLS or NSS crypto libraries are used instead, how do I force the same behavior ? Or, if providing my own function is not possible, how do I force the STARTLS to go on also if it finds non-trusted server/CA certificates ?
Thanks, Max
On 06/10/2011 12:21 PM, Massimiliano Pala wrote:
Hi all,
are there examples on how to use STARTLS without requiring that the server's certificate is trusted ?
If the crypto api used in the ldap library is OpenSSL, that is easy:
- create a new ssl_ctx() with SSL_CTX_new()
- set my function as the verify function with SSL_CTX_set_verify()
- use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx
My problem is: when GnuTLS or NSS crypto libraries are used instead, how do I force the same behavior ? Or, if providing my own function is not possible, how do I force the STARTLS to go on also if it finds non-trusted server/CA certificates ?
man ldap.conf TLS_REQCERT <level> never, allow, try
Thanks, Max
Hi Rich,
that's not really what I wanted.. I am developing my own ldap client and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
Also, I would like to know if there's a possibility to set a callback for the verify of the certificates.
Cheers, Max
On 06/10/2011 03:05 PM, Rich Megginson wrote: [...]
TLS_REQCERT <level> never, allow, try
On 06/10/2011 02:11 PM, Massimiliano Pala wrote:
Hi Rich,
that's not really what I wanted.. I am developing my own ldap client and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
man ldap_set_option
LDAP_OPT_X_TLS_REQUIRE_CERT Sets/gets the peer certificate checking strategy, one of LDAP_OPT_X_TLS_NEVER, LDAP_OPT_X_TLS_HARD, LDAP_OPT_X_TLS_DEMAND, LDAP_OPT_X_TLS_ALLOW, LDAP_OPT_X_TLS_TRY.
int reqcert = LDAP_OPT_X_TLS_NEVER; ... rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
Also, I would like to know if there's a possibility to set a callback for the verify of the certificates.
No that I know of. The problem here is - what would be passed to this callback? A certificate? In which format?
Cheers, Max
On 06/10/2011 03:05 PM, Rich Megginson wrote: [...]
TLS_REQCERT <level> never, allow, try
Massimiliano Pala wrote:
Hi Rich,
that's not really what I wanted.. I am developing my own ldap client and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
Of course. For ldap_set_option you must use the proper value, e.g. LDAP_OPT_X_TLS_NEVER.
Also, I would like to know if there's a possibility to set a callback for the verify of the certificates.
Cheers, Max
On 06/10/2011 03:05 PM, Rich Megginson wrote: [...]
TLS_REQCERT<level> never, allow, try
On Fri, 10 Jun 2011, Massimiliano Pala wrote:
that's not really what I wanted.. I am developing my own ldap client and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_* constant and not a string; I just wanted to add that in version 2.3 and earlier, that option (and most of the other TLS options) could only be set globally: ldap_set_option() would fail for them if the first argument wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
Hi Philip, all,
thanks for the advice. I have changed the code.. and the option is set correctly. Question, do you think it is safe to do this as a fallback:
if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &level) != LDAP_OPT_SUCCESS) { if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &level) != LDAP_OPT_SUCCESS) { /// Total Failure } }
Still.. although I set the option, I still get the -11 error when trying to bind.
Is there any other option I have to set to "disable" certificate verification for non-openssl crypto api ?
Cheers, Max
On 06/10/2011 05:23 PM, Philip Guenther wrote: [..]
Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_* constant and not a string; I just wanted to add that in version 2.3 and earlier, that option (and most of the other TLS options) could only be set globally: ldap_set_option() would fail for them if the first argument wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
openldap-technical@openldap.org
-
Howard Chu -
Massimiliano Pala -
Philip Guenther -
Rich Megginson