[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Question Regarding the use of TLS_CACERTDIR and TLS_CACERTFILE
Hi,
i have a confusion regarding the use of TLS_CACERTDIR and TLS_CACERTFILE
[man:eldap]> cat ~/.ldaprc
TLS_CACERTDIR /home/siva/server/ssl/certs
/home/siva/rootca2.cer is a completely different CA certificate not
associated with our scenario at all!!
number) C code
a) situation when TLS_CACERTDIR option is present in .ldaprc
b) situation when no .ldaprc file or no TLS_CACERTDIR in .ldaprc/ldap.conf
1)
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");
a) TLS_CACERTDIR in .ldaprc (why??)
[man:eldap]>a.out host.domain.com "cn=test,dc=siva,dc=com" "test123"
prot ver=3
req cert ok
ldaps ok
ca ok
ldap_create
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: host.domain.com
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.17.152.239:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=host.domain.com
TLS: could not load client CA list
(file:`',dir:`/home/siva/server/ssl/certs').
ldap_perror
ldap_simple_bind_s: Can't contact LDAP server
b) if no TLS_CACERTDIR in .ldaprc/ldap.conf the verify fails. (makes
sense)
ldap_simple_bind_s: Can't contact LDAP server
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2)
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");
a),b) doesnt work irrespective of whether there is CACERTDIR in
.ldaprc/ldap.conf or not. same error as shown below in both scenarios.
(why ??)
[man:eldap]>a.out host.domain.com "cn=test,dc=siva,dc=com" "test123"
prot ver=3
req cert ok
ldaps ok
ca ok
ldap_create
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: host.domain.com
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.17.152.239:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=host.domain.com
TLS: could not load client CA list
(file:`',dir:`/home/siva/server/ssl/certs/').
ldap_perror
ldap_simple_bind_s: Can't contact LDAP server
3)
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
//ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");
a) works - is using the .ldaprc / ldap.conf. (ok)
b) if CACERTDIR is not there in .ldaprc/ldap.conf then it fails. (makes
sense)
4)
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/home/siva/rootca2.cer");
ret=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTDIR,"/home/siva/server/ssl/certs/");
works - in the presence or absence of CACERTDIR in .ldaprc/ldap.conf (ok)
I am trying to understand the situations marked as (why??) above - namely
1a, 2a and 2b
comparing and contrasting them with others (1b, 3a,3b, 4a, 4b) I seem to
understand that the client requires some dummy CA certificate initially. I
remember something in the specs about the client initially sending the
"list of CA certificates it accepts" to the peer. Is this behavior (and
the error mean) caused by that ?
if I try the something similar using "openssl s_client -connect
host.domain.com:636 -CApath=/home/siva/server/ssl/certs" it succeeds and
everything works without complaning. How come this works ??
Thanks,
Siva