11:21 a.m.
Hi all,
are there examples on how to use STARTLS without requiring that the
server's certificate is trusted ?
If the crypto api used in the ldap library is OpenSSL, that is easy:
- create a new ssl_ctx() with SSL_CTX_new()
- set my function as the verify function with SSL_CTX_set_verify()
- use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx
My problem is: when GnuTLS or NSS crypto libraries are used instead,
how do I force the same behavior ? Or, if providing my own function
is not possible, how do I force the STARTLS to go on also if it finds
non-trusted server/CA certificates ?
Thanks,
Max
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
12:05 p.m.
On 06/10/2011 12:21 PM, Massimiliano Pala wrote:
Hi all,
are there examples on how to use STARTLS without requiring that the
server's certificate is trusted ?
If the crypto api used in the ldap library is OpenSSL, that is easy:
- create a new ssl_ctx() with SSL_CTX_new()
- set my function as the verify function with SSL_CTX_set_verify()
- use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx
My problem is: when GnuTLS or NSS crypto libraries are used instead,
how do I force the same behavior ? Or, if providing my own function
is not possible, how do I force the STARTLS to go on also if it finds
non-trusted server/CA certificates ?
man ldap.conf
TLS_REQCERT <level>
never, allow, try
Thanks,
Max
1:11 p.m.
Hi Rich,
that's not really what I wanted.. I am developing my own ldap client
and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
Also, I would like to know if there's a possibility to set a callback
for the verify of the certificates.
Cheers,
Max
On 06/10/2011 03:05 PM, Rich Megginson wrote:
[...]
TLS_REQCERT <level>
never, allow, try
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
1:38 p.m.
On 06/10/2011 02:11 PM, Massimiliano Pala wrote:
Hi Rich,
that's not really what I wanted.. I am developing my own ldap client
and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
man ldap_set_option
LDAP_OPT_X_TLS_REQUIRE_CERT
Sets/gets the peer certificate checking strategy,
one of
LDAP_OPT_X_TLS_NEVER,
LDAP_OPT_X_TLS_HARD,
LDAP_OPT_X_TLS_DEMAND, LDAP_OPT_X_TLS_ALLOW,
LDAP_OPT_X_TLS_TRY.
int reqcert = LDAP_OPT_X_TLS_NEVER;
...
rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
Also, I would like to know if there's a possibility to set a callback
for the verify of the certificates.
No that I know of. The problem here is - what
would be passed to this
callback? A certificate? In which format?
Cheers,
Max
On 06/10/2011 03:05 PM, Rich Megginson wrote:
[...]
> TLS_REQCERT <level>
> never, allow, try
1:48 p.m.
Massimiliano Pala wrote:
Hi Rich,
that's not really what I wanted.. I am developing my own ldap client
and I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
Of course. For ldap_set_option you must use the proper value, e.g.
LDAP_OPT_X_TLS_NEVER.
Also, I would like to know if there's a possibility to set a
callback
for the verify of the certificates.
Cheers,
Max
On 06/10/2011 03:05 PM, Rich Megginson wrote:
[...]
> TLS_REQCERT<level>
> never, allow, try
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2:23 p.m.
On Fri, 10 Jun 2011, Massimiliano Pala wrote:
that's not really what I wanted.. I am developing my own ldap
client and
I wanted to know what is the code path to set the option.
I tried to use the following:
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, "never")
but it always fails ( != 0).
Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_*
constant and not a string; I just wanted to add that in version 2.3 and
earlier, that option (and most of the other TLS options) could only be set
globally: ldap_set_option() would fail for them if the first argument
wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
3:19 p.m.
Hi Philip, all,
thanks for the advice. I have changed the code.. and the option is set
correctly. Question, do you think it is safe to do this as a fallback:
if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &level) !=
LDAP_OPT_SUCCESS)
{
if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &level) !=
LDAP_OPT_SUCCESS)
{
/// Total Failure
}
}
Still.. although I set the option, I still get the -11 error when
trying to bind.
Is there any other option I have to set to "disable" certificate
verification for non-openssl crypto api ?
Cheers,
Max
On 06/10/2011 05:23 PM, Philip Guenther wrote:
[..]
Howard has already pointed out that the value must be an
LDAP_OPT_X_TLS_*
constant and not a string; I just wanted to add that in version 2.3 and
earlier, that option (and most of the other TLS options) could only be set
globally: ldap_set_option() would fail for them if the first argument
wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
4255
days inactive
4255
days old
openldap-technical@openldap.org
6 comments
4 participants
participants (4)
-
Howard Chu -
Massimiliano Pala -
Philip Guenther -
Rich Megginson