[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS/SSL some questions...
At 01:10 PM 2001-08-29, Geert Van Muylem wrote:
>I've some questions about the TLS/SSL protocol...
I'm not a LDAP/TLS expert, but I'll take a stab at it.
(I use mostly use SASL mechanism provided confidentiality
protections)
>- what does the API ldap_start_tls_s()?
The call issues an LDAP Start TLS [RFC 2830] extended operation
and, if success is returned by the server, proceeds with a
TLS handshake.
>Does it just start the handshaking?
>Does it ask the LDAP Server for its certificate?
Yes.
>Don't you need the issuer
>certif
>at the client side to be able to verify it or does it always simply accept
>the issuer?
I believe it simply accepts the issuer unless CAs have
been provided (via ldap.conf(5) [undocumented features, sorry]).
>- how can i avoid that the api asks for the pass phrase of the secret key?
Don't encrypt the secret key.
> /* CLIENTS CERTS AND KEYS */
> rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
>"C:\\LDAP\\cl1_crt.pem");
> if ( rc != LDAP_SUCCESS )
> {
> }
> rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
>"C:\\LDAP\\cl1_sk.pem");
> if ( rc != LDAP_SUCCESS )
> {
> }
>
>- Does anyone has a good description of the protocol?
RFC 2830.