[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: way to validate server certificate

To: Dieter Klünter <dieter@dkluenter.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: way to validate server certificate
From: Bin Lu <blu@paloaltonetworks.com>
Date: Tue, 23 Sep 2014 21:20:28 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <20140922212522.1be461e0@pink.avci.de>
References: <841A051D8BD4144AA7B5AC63D97F9F05179413CF@sjccmbxpw01p.paloaltonetworks.local> <541CEFED.8030400@symas.com> <841A051D8BD4144AA7B5AC63D97F9F0517942C3D@sjccmbxpw01p.paloaltonetworks.local> <20140922212522.1be461e0@pink.avci.de>
Thread-index: AQHP1IBP0TDIq5qA5U2t1+6omeR8xJwNcDLwgACSDQCAATyCQA==
Thread-topic: way to validate server certificate

Dieter,

I know how to do it using openssl lib functions. But I am looking for openldap support.

Thanks,
-binlu

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Klünter
Sent: Monday, September 22, 2014 12:25 PM
To: openldap-technical@openldap.org
Subject: Re: way to validate server certificate

<html>
Am Mon, 22 Sep 2014 17:51:02 +0000
schrieb Bin Lu <blu@paloaltonetworks.com>:

> Hi Howard,
> 
> The RFCs specify the protocol, but not all releases implement the full 
> protocol.
> 
> I briefly went through the openLdap APIs but could not find the APIs 
> to do server id check.  LDAP_OPT_X_TLS_CACERTFILE and 
> LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I 
> don't see how it does the hostname matching.
> 
> If would be helpful if somebody could point me the actual API(s) that 
> does this.

That depends on the included TLS library, for openSSL you might want to read https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_ssl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=AAIFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=u2oGRu4BAahLkAvOy4jLniKlVlJ1DI_Sv0fqx2SK_Y8&e= 


-Dieter

> 
> Thanks,
> 
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Friday, September 19, 2014 8:10 PM
> To: Bin Lu; openldap-technical@openldap.org
> Subject: Re: way to validate server certificate
> 
> Bin Lu wrote:
> > Hi,
> >
> > Does openldap provide APIs to do server certificate validation? Can 
> > I retrieve the server cert from LDAP connection and do the 
> > validation myself or by passing the trusted CA list openldap will do 
> > it (in this case, how the hostname matching with the subject DN is 
> > performed)?
> 
> OpenLDAP libldap does server certificate validation according to
> RFC2830 and 4513. It would be a mistake to duplicate that 
> functionality and do the validation yourself.
> >
> > Thanks a lot in advance,
> >
> > -blu
> >
> 
> 



--
Dieter Klünter | Systemberatung
https://urldefense.proofpoint.com/v2/url?u=http-3A__sys4.de_&d=AAIFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=58Dib58wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e=
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- RE: way to validate server certificate
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- way to validate server certificate
  - From: Bin Lu <blu@paloaltonetworks.com>
- Re: way to validate server certificate
  - From: Howard Chu <hyc@symas.com>
- RE: way to validate server certificate
  - From: Bin Lu <blu@paloaltonetworks.com>
- Re: way to validate server certificate
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: Problem: LDAP installation without internet
Next by Date: RE: way to validate server certificate
Index(es):
- Chronological
- Thread