Re: Client App and STARTLS auth

[Massimiliano Pala <pala@isis.poly.edu>]

Hi Rich,

to provide a better vision, I am trying to use openldap to connect to a server
and ignoring errors in authentication of the certificates. I am working on a
*client*.

In particular the code I wrote is like this:

  ldap_initialize(&ld, url);

  if(crypto_api == LDAP_CRYPTO_API_OPENSSL)
  {
    // This Works..
    SSL_CTX *ctx = NULL;

    ...
  }
  else
  {
    int opt_val = 0;

    if(ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &opt_val) != LDAP_OPT_SUCCESS)
    {
      /// ERROR if here (does not happen)
    }

    // This works till now

    opt_val = LDAP_OPT_X_TLS_TRY;
    if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) !=
        LDAP_OPT_SUCCESS)
    {
      if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) !=
        LDAP_OPT_SUCCESS)
      {
        // Error
        ..
      }
    }

    m_error = ldap_start_tls_s(corePnt->m_ldap, NULL, NULL);

    ...


Note that m_error gets a -11...

On the server the output (-d 1) is:

connection_get(14): got connid=1007
connection_read(14): checking for input on id=1007
TLS: error: accept - force handshake failure: errno 11 - moznss error -5938
TLS: can't accept: (unknown).

I have no clue why this is not working.

Another thing which is interesting.. on Ubuntu I tried to change the TLS_CERTREQ
option to "allow" ... and the code works - but I can not have it working by
using the ldap_set_option().. (on Fedora 14/15 setting the option in the
ldap.conf file - in /etc/openldap/ - does not work..).

Heeeeeellp!!! :D

Cheers,
Max


On 06/10/2011 10:50 PM, Rich Megginson wrote:
> On Fri, Jun 10, 2011 at 4:19 PM, Massimiliano Pala<pala@isis.poly.edu>  wrote:
> > Hi Philip, all,
> >
> > thanks for the advice. I have changed the code.. and the option is set
> > correctly. Question, do you think it is safe to do this as a fallback:
> >
> >     if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) !=
> >         LDAP_OPT_SUCCESS)
> >     {
> >       if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) !=
> >         LDAP_OPT_SUCCESS)
> >       {
> >         /// Total Failure
> >       }
> >     }
> >
> > Still.. although I set the option, I still get the -11 error when
> > trying to bind.
>
> What -11 error?  Client or server?  Can you run with -d 1 to get
> detailed trace information?
>
> > Is there any other option I have to set to "disable" certificate
> > verification for non-openssl crypto api ?
> >
> > Cheers,
> > Max
> >
> >
> > On 06/10/2011 05:23 PM, Philip Guenther wrote:
> > [..]
> > > Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_*
> > > constant and not a string; I just wanted to add that in version 2.3 and
> > > earlier, that option (and most of the other TLS options) could only be set
> > > globally: ldap_set_option() would fail for them if the first argument
> > > wasn't NULL.  So, make sure you're building against a current version.
> > >
> > >
> > > Philip Guenther
> >
> >
> > --
> >
> > http://member.acm.org/~openca/
> >
> > Massimiliano Pala, Ph.D.
> > Director, OpenCA Labs
> > Professor, NYU Poly


--

http://member.acm.org/~openca/

Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature