[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: way to validate server certificate

To: Howard Chu <hyc@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: way to validate server certificate
From: Bin Lu <blu@paloaltonetworks.com>
Date: Mon, 22 Sep 2014 17:55:50 +0000
Accept-language: en-US
Content-language: en-US
References: <841A051D8BD4144AA7B5AC63D97F9F05179413CF@sjccmbxpw01p.paloaltonetworks.local> <541CEFED.8030400@symas.com>
Thread-index: AQHP1IBP0TDIq5qA5U2t1+6omeR8xJwNcDLwgAAC/QA=
Thread-topic: way to validate server certificate

In addition, it would be nice to have an in-memory config setting API for the server CAs (if you already have these CAs in memory, you don't have to dump them to a file) instead of pointing it to a file or a directory...

-----Original Message-----
From: Bin Lu 
Sent: Monday, September 22, 2014 10:51 AM
To: 'Howard Chu'; openldap-technical@openldap.org
Subject: RE: way to validate server certificate

Hi Howard,

The RFCs specify the protocol, but not all releases implement the full protocol. 

I briefly went through the openLdap APIs but could not find the APIs to do server id check.  LDAP_OPT_X_TLS_CACERTFILE and LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I don't see how it does the hostname matching. 

If would be helpful if somebody could point me the actual API(s) that does this.

Thanks,

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, September 19, 2014 8:10 PM
To: Bin Lu; openldap-technical@openldap.org
Subject: Re: way to validate server certificate

Bin Lu wrote:
> Hi,
>
> Does openldap provide APIs to do server certificate validation? Can I 
> retrieve the server cert from LDAP connection and do the validation 
> myself or by passing the trusted CA list openldap will do it (in this 
> case, how the hostname matching with the subject DN is performed)?

OpenLDAP libldap does server certificate validation according to RFC2830 and 4513. It would be a mistake to duplicate that functionality and do the validation yourself.
>
> Thanks a lot in advance,
>
> -blu
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com_&d=AAICAw&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqxLjdc&m=7b1B9k2pZ2q-xn9kMD429mOwsbPbem8xQ5du4iN0hvk&s=zy3M9Pl-YA2GdMvnbJwR3Zb2Xxjhy-NwrpFV1QCVER4&e= 
   Director, Highland Sun     https://urldefense.proofpoint.com/v2/url?u=http-3A__highlandsun.com_hyc_&d=AAICAw&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqxLjdc&m=7b1B9k2pZ2q-xn9kMD429mOwsbPbem8xQ5du4iN0hvk&s=P7IpnP8l2h3EGy4Ogyr0o9St9ESA1jb40n4CPOS0Uwc&e= 
   Chief Architect, OpenLDAP  https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openldap.org_project_&d=AAICAw&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqxLjdc&m=7b1B9k2pZ2q-xn9kMD429mOwsbPbem8xQ5du4iN0hvk&s=I7haQ3YAzw1lVNXzn-qU_uGokga4YiCDI1FUiK_cUV0&e=

References:
- way to validate server certificate
  - From: Bin Lu <blu@paloaltonetworks.com>
- Re: way to validate server certificate
  - From: Howard Chu <hyc@symas.com>

Prev by Date: RE: way to validate server certificate
Next by Date: Re: way to validate server certificate
Index(es):
- Chronological
- Thread