[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL Question: Is Everyone Ignorant or Just Non-responsive

To: "Matt" <mmaynard@student.math.uwaterloo.ca>, <openldap-software@OpenLDAP.org>
Subject: RE: SSL Question: Is Everyone Ignorant or Just Non-responsive
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 16 Aug 2001 00:41:49 -0700
Importance: Normal
In-reply-to: <Pine.SOL.4.05.10108151428140.9757-100000@fitch.math.uwaterloo.ca>

In rev 1.26 of libldap/tls.c I had added a function
ldap_pvt_tls_get_handle() which would return the (SSL *) from a given (LDAP
*) but apparently this function is now
gone. The only other option for getting hold of the (SSL *) with the current
APIs
is something like this (error checks omitted):

	LDAP *ld;
	SSL_CTX ctx;
	int result;

	result=ldap_initialize(&ld, "ldaps://foo.com:9876");
	result=ldap_get_option(ld, LDAP_OPT_X_TLS_CTX, &ctx);
	SSL_CTX_set_info_callback(ctx, myinfo_cb);

your info callback function will be called like so:

static void myinfo_cb(SSL *ssl, int where, int ret)

You can stuff the SSL handle somewhere, or just process it with the usual
SSL_get_peer_certificate(ssl) call.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Matt
> Sent: Wednesday, August 15, 2001 11:37 AM
> To: openldap-software@OpenLDAP.org
> Subject: Re: SSL Question: Is Everyone Ignorant or Just Non-responsive
>
>
> Hi John,
>
> 	I think I am trying to do the same type of thing that you are
> trying to do.  I want my application to be able to access the certificate
> of the LDAP server (over ldaps:// or TLS, I dont particularly care which),
> and I have been working on other things for the last little while.
>
> 	In a post from Kurt Zeilanga, he noted that the openssl s_client
> program could read the certificate information from a ldap server running
> on ldaps:// .  This works for me - I can see my certificate and presumably
> if I looked at what the openssl s_client was doing on this and wrote
> something like this in my application then I should be able to get it
> working. I haven't done this yet, but I plan to .  It would be nice if ?I
> could figure out how to get this working over TLS that would be even
> nicer, but right now it doesnt look to possible.
>
> 	The ldap library doesn't seem to provide any nice way to access
> the LDAP server certificate, which is a pain for me, but I guess that it
> isn't a common thing to do.
>
> 	I would love to hear any tips you receive or have come up with.
>
> Thanks
>
> Matt Maynard
> 4B Computer Science University of Waterloo
>
>
>

Follow-Ups:
- RE: SSL Question: Is Everyone Ignorant or Just Non-responsive
  - From: Logan Parthipan <zeropulse2001@yahoo.com>

References:
- Re: SSL Question: Is Everyone Ignorant or Just Non-responsive
  - From: Matt <mmaynard@student.math.uwaterloo.ca>

Prev by Date: Re: Re: ldap and mysql as backend
Next by Date: Re: possible to use webPassword or mailPassword for auth ?
Index(es):
- Chronological
- Thread