Question Regarding the use of TLS_CACERTDIR and TLS_CACERTFILE

[Siva Kollipara <siva@CS.Arizona.EDU>]

Hi,
 i have a confusion regarding the use of TLS_CACERTDIR and TLS_CACERTFILE

[man:eldap]> cat ~/.ldaprc
TLS_CACERTDIR /home/siva/server/ssl/certs

/home/siva/rootca2.cer is a completely different CA certificate not
associated with our scenario at all!!

number) C code
a) situation when TLS_CACERTDIR option is present in .ldaprc
b) situation when no .ldaprc file or no TLS_CACERTDIR in .ldaprc/ldap.conf

1)
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");

a) TLS_CACERTDIR in .ldaprc (why??)
[man:eldap]>a.out host.domain.com "cn=test,dc=siva,dc=com" "test123"
prot ver=3
req cert ok
ldaps ok
ca ok
ldap_create
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: host.domain.com
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.17.152.239:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=host.domain.com
TLS: could not load client CA list
(file:`',dir:`/home/siva/server/ssl/certs').
ldap_perror
ldap_simple_bind_s: Can't contact LDAP server

b) if no TLS_CACERTDIR in .ldaprc/ldap.conf the verify fails. (makes
sense)
ldap_simple_bind_s: Can't contact LDAP server
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


2)
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");

a),b) doesnt work irrespective of whether there is CACERTDIR in
.ldaprc/ldap.conf or not. same error as shown below in both scenarios.
(why ??)

[man:eldap]>a.out host.domain.com "cn=test,dc=siva,dc=com" "test123"
prot ver=3
req cert ok
ldaps ok
ca ok
ldap_create
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: host.domain.com
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.17.152.239:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=host.domain.com
TLS: could not load client CA list
(file:`',dir:`/home/siva/server/ssl/certs/').
ldap_perror
ldap_simple_bind_s: Can't contact LDAP server

3)
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");

a) works - is using the .ldaprc / ldap.conf. (ok)
b) if CACERTDIR is not there in .ldaprc/ldap.conf then it fails. (makes
sense)

4)
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");

works - in the presence or absence of CACERTDIR in .ldaprc/ldap.conf (ok)

I am trying to understand the situations marked as (why??) above - namely
1a, 2a and 2b
comparing and contrasting them with others (1b, 3a,3b, 4a, 4b) I seem to
understand that the client requires some dummy CA certificate initially. I
remember something in the specs about the client initially sending the
"list of CA certificates it accepts" to the peer. Is this behavior (and
the error mean) caused by that ?

if I try the something similar using "openssl s_client -connect
host.domain.com:636 -CApath=/home/siva/server/ssl/certs" it succeeds and
everything works without complaning. How come this works ??

Thanks,
Siva