link to question on stackoverflow
I'm having trouble verifying the correct behavior of my software. Here are the steps I am performing to verify correct operation:
- I have sample code that uses openldap library and doing a start tls to a ldap server.
- I have set the global option for ca cert directory and tlx context for the first time.
- After that I did ldap init and ldap start tls to a server. This is succesful as expected.
- I did an ldap_unbind_s
- I deleted the CA cert that signed the ldap server's certificate from the ca cert directory of the client.
- Again did ldap_init and ldap_start_tls_s .
- I expected this call to fail , as I have removed the ca cert. But what I observe is that , server sends the certificate but start_tls is returning success.
I am using openldap 2.4 with libssl.0.9.8
LDAP *ld; int desired_version=3; if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) { printf("ldap_init failed\n"); exit(0); } ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version); ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL); ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>"); if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){ printf("start tls failed.\n"); exit(0); } ... ... <do bind and search> ... ldap_unbind_s(ld); ... // DELETE the CA certificate from the ca dir. // Try to do start tls again if ((ld = ldap_init(hostname, server_port)) == NULL ) { printf("ldap_init failed , after deleting CA\n"); exit(0); } // This goes fine even after deleting the CA if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){ printf("start tls failed after deleting CA.\n"); exit(0); }--
Thanks&Regards,
SomaSekhar.