[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP_OPT_X_TLS*



--On Dienstag, 19. Februar 2002 09:30 +0100 Michael Ströder <michael@stroeder.com> wrote:

Especially it's not clear what these constants below mean. They seem
to define which kind of level of security is acceptable if cert
validation (partially) fails.

# define LDAP_OPT_X_TLS_NEVER            0
# define LDAP_OPT_X_TLS_HARD             1
# define LDAP_OPT_X_TLS_DEMAND           2
# define LDAP_OPT_X_TLS_ALLOW            3
# define LDAP_OPT_X_TLS_TRY              4

Again: I'm asking for *exact* semantics not just what they probably
mean.

There are possible values for an ldap_set_option where option is either LDAP_OPT_X_TLS_REQUIRE_CERT or LDAP_OPT_X_TLS. For LDAP_OPT_X_TLS_REQUIRE_CERT they correspond to the options for the TLSVerifyClient directive in slapd.conf:

      TLSVerifyClient <level>
             Specifies   what   checks   to  perform  on  client
             certificates in an incoming TLS  session,  if  any.
             The   <level>  can  be  specified  as  one  of  the
             following keywords:

             never  This is the default.  slapd will not ask the
                    client for a certificate.

             allow  The  client certificate is requested.  If no
                    certificate   is   provided,   the   session
                    proceeds  normally.  If a bad certificate is
                    provided, it will be ignored and the session
                    proceeds normally.

             try    The  client certificate is requested.  If no
                    certificate   is   provided,   the   session
                    proceeds  normally.  If a bad certificate is
                    provided,   the   session   is   immediately
                    terminated.

             demand | hard | true
                    These   keywords  are  all  equivalent,  for
                    compatibility    reasons.     The     client
                    certificate is requested.  If no certificate
                    is  provided,  or  a  bad   certificate   is
                    provided,   the   session   is   immediately
                    terminated.

                    Note that  a  valid  client  certificate  is
                    required  in  order to use the SASL EXTERNAL
                    authentication mechanism with a TLS session.
                    As   such,   a  non-default  TLSVerifyClient
                    setting  must  be  chosen  to  enable   SASL
                    EXTERNAL authentication.

The relevant code from libraries/libldap/tls.c
	i = SSL_VERIFY_NONE;
	if ( tls_opt_require_cert ) {
		i = SSL_VERIFY_PEER;
		if ( tls_opt_require_cert == LDAP_OPT_X_TLS_DEMAND ||
		     tls_opt_require_cert == LDAP_OPT_X_TLS_HARD ) {
			i |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
		}
	}
	SSL_CTX_set_verify( tls_def_ctx, i,
		tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ?
		tls_verify_ok : tls_verify_cb );

See also SSL_CTX_set_verify.pod (from OpenSSL).

For LDAP_OPT_X_TLS the only valid option seems to be LDAP_OPT_X_TLS_HARD. (Isn't the use of other constants an error condition?) It can be used to programatically specify the use of LDAPS without using an URI.
From libraries/libldap/open.c: 
       if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
               strcmp( srv->lud_scheme, "ldaps" ) == 0 )
       {
               ++conn->lconn_refcnt;   /* avoid premature free */

               rc = ldap_int_tls_start( ld, conn, srv );


--
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de