Re: LDAP_OPT_X_TLS*

[Michael Ströder <michael@stroeder.com>]

Ignacio Coupeau wrote:
> 
> Michael Ströder wrote:
> >
> > Where can I find docs about the exact semantics of the
> > SSL/TLS-related constants defined in ldap.h and their proper use
> > with StartTLS or LDAP over SSL?
> >
> > /* OpenLDAP TLS options */
> > #define LDAP_OPT_X_TLS                          0x6000
> > #define LDAP_OPT_X_TLS_CTX                      0x6001  /* SSL CTX
> 
> This may help:
>         http://www.openldap.org/faq/data/cache/185.html
>         rfc2830
>         rfc2246

Thanks for your reply but it does not answer my question since it
rather describes how to get started.

I already have everything working with StartTLS or LDAP/SSL (LDAPS)
either against OpenLDAP REL_ENG_2 and iPlanet server. That's not my
problem. But I want it to be really sure about doing proper
certificate validation. I can see in the trace log that e.g. the
cert chain seems to be validated if I set LDAP_OPT_X_TLS_CACERTFILE
(or LDAP_OPT_X_TLS_CACERTDIR). But I'm currently not able to really
determine the exact behaviour if validating of the chain fails.

Therefore I need to know what the exact semantics of the following
constants are. This time I only listed the ones not clear to me.

#define LDAP_OPT_X_TLS                          0x6000
#define LDAP_OPT_X_TLS_REQUIRE_CERT     0x6006
/* #define LDAP_OPT_X_TLS_PROTOCOL              0x6007 */
#define LDAP_OPT_X_TLS_CIPHER_SUITE     0x6008

Especially it's not clear what these constants below mean. They seem
to define which kind of level of security is acceptable if cert
validation (partially) fails.

#define LDAP_OPT_X_TLS_NEVER            0
#define LDAP_OPT_X_TLS_HARD             1
#define LDAP_OPT_X_TLS_DEMAND           2
#define LDAP_OPT_X_TLS_ALLOW            3
#define LDAP_OPT_X_TLS_TRY              4

Again: I'm asking for *exact* semantics not just what they probably
mean.

Ciao, Michael.