[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SSL Question: Is Everyone Ignorant or Just Non-responsive
In rev 1.26 of libldap/tls.c I had added a function
ldap_pvt_tls_get_handle() which would return the (SSL *) from a given (LDAP
*) but apparently this function is now
gone. The only other option for getting hold of the (SSL *) with the current
APIs
is something like this (error checks omitted):
LDAP *ld;
SSL_CTX ctx;
int result;
result=ldap_initialize(&ld, "ldaps://foo.com:9876");
result=ldap_get_option(ld, LDAP_OPT_X_TLS_CTX, &ctx);
SSL_CTX_set_info_callback(ctx, myinfo_cb);
your info callback function will be called like so:
static void myinfo_cb(SSL *ssl, int where, int ret)
You can stuff the SSL handle somewhere, or just process it with the usual
SSL_get_peer_certificate(ssl) call.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Matt
> Sent: Wednesday, August 15, 2001 11:37 AM
> To: openldap-software@OpenLDAP.org
> Subject: Re: SSL Question: Is Everyone Ignorant or Just Non-responsive
>
>
> Hi John,
>
> I think I am trying to do the same type of thing that you are
> trying to do. I want my application to be able to access the certificate
> of the LDAP server (over ldaps:// or TLS, I dont particularly care which),
> and I have been working on other things for the last little while.
>
> In a post from Kurt Zeilanga, he noted that the openssl s_client
> program could read the certificate information from a ldap server running
> on ldaps:// . This works for me - I can see my certificate and presumably
> if I looked at what the openssl s_client was doing on this and wrote
> something like this in my application then I should be able to get it
> working. I haven't done this yet, but I plan to . It would be nice if ?I
> could figure out how to get this working over TLS that would be even
> nicer, but right now it doesnt look to possible.
>
> The ldap library doesn't seem to provide any nice way to access
> the LDAP server certificate, which is a pain for me, but I guess that it
> isn't a common thing to do.
>
> I would love to hear any tips you receive or have come up with.
>
> Thanks
>
> Matt Maynard
> 4B Computer Science University of Waterloo
>
>
>