[Date Prev][Date Next] [Chronological] [Thread] [Top]

cert options in ssl/tls connections

To: openldap-technical@openldap.org
Subject: cert options in ssl/tls connections
From: Qiang Xu <qixu@lexmark.com>
Date: Tue, 28 Feb 2012 17:45:28 -0500
Authentication-results: mr.google.com; spf=pass (google.com: domain of qixu@lexmark.com designates 10.112.101.130 as permitted sender) smtp.mail=qixu@lexmark.com

Hello All,

Today I came across a strange problem.

I wrote a program to test ldap ssl/tls connection with OpenLDAP library. Something like the code snippet as follows:

int ret = LDAP_OPT_SUCCESS;
int cert_flag = LDAP_OPT_X_TLS_NEVER;
...
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
    fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
    ldap_err2string(ret));
}
... // bind to the server

cert_flag = LDAP_OPT_X_TLS_DEMAND;
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
    fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
    ldap_err2string(ret));
}
... // bind to the server

The first binding is successful, as expected. However, the second binding is also successful, which is contrary to my expectation, because I didn't create any cert file yet.

Another observation here is that if the first binding with LDAP_OPT_X_TLS_NEVER is removed, and the second binding with LDAP_OPT_X_TLS_DEMAND set is done right from the beginning, then it will fail, as expected.

So, it seems the first value set to the option LDAP_OPT_X_TLS_REQUIRE_CERT will override the later values, isn't it? Is it possible to change this option's value on the fly (means different bindings use different values for this cert option)?

Thanks,
Qiang

Prev by Date: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
Next by Date: Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
Index(es):
- Chronological
- Thread