[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: way to validate server certificate
I think he's hoping to utilize the same code used in OpenLDAP to do verification outside of 'doing everything else OpenLDAP does'.
As in: use the code/methods OpenLDAP uses exposed in a manner he might use them to test/verify certs/etc.
I could be really wrong though.
- chris
-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Aaron Richton
Sent: Wednesday, September 24, 2014 10:08 AM
To: Bin Lu
Cc: Dieter Klünter; openldap-technical@openldap.org
Subject: RE: way to validate server certificate
On Tue, 23 Sep 2014, Bin Lu wrote:
> Dieter,
>
> I know how to do it using openssl lib functions. But I am looking for openldap support.
OpenLDAP support for what? You've talked about standards used for applications verifying subject names, configuration of CAs, and opened an aside regarding in-memory CAs so far.
verifying names:
Howard's told you what specs libldap implements, the support is there.
Read the code if you don't believe him.
configuring CAs/in-memory CAs:
The TLS library providers can tell you what each of their libraries implement. (And it's most definitely not OpenLDAP's job to duplicate what the TLS libraries already provide...) You can find the related libldap/slapd configuration directives in the appropriate man pages. These are typically passed straight to the crypto libraries, though, so a thorough understanding of your chosen crypto library is key. (Keep in mind that OpenLDAP supports a compile-time choice of multiple crypto
providers.)
> Thanks,
> -binlu
>
> -----Original Message-----
> From: openldap-technical
> [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter
> Kl?nter
> Sent: Monday, September 22, 2014 12:25 PM
> To: openldap-technical@openldap.org
> Subject: Re: way to validate server certificate
>
> <html>
> Am Mon, 22 Sep 2014 17:51:02 +0000
> schrieb Bin Lu <blu@paloaltonetworks.com>:
>
>> Hi Howard,
>>
>> The RFCs specify the protocol, but not all releases implement the
>> full protocol.
>>
>> I briefly went through the openLdap APIs but could not find the APIs
>> to do server id check. LDAP_OPT_X_TLS_CACERTFILE and
>> LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I
>> don't see how it does the hostname matching.
>>
>> If would be helpful if somebody could point me the actual API(s) that
>> does this.
>
> That depends on the included TLS library, for openSSL you might want
> to read
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_d
> ocs_ssl_ssl.html-23DEALING-5FWITH-5FPROTOCOL-5FMETHODS&d=AAIFaQ&c=V9Ig
> WpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvAfjqGLD
> 0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=u2oGRu
> 4BAahLkAvOy4jLniKlVlJ1DI_Sv0fqx2SK_Y8&e=
>
>
> -Dieter
>
>>
>> Thanks,
>>
>> -----Original Message-----
>> From: Howard Chu [mailto:hyc@symas.com]
>> Sent: Friday, September 19, 2014 8:10 PM
>> To: Bin Lu; openldap-technical@openldap.org
>> Subject: Re: way to validate server certificate
>>
>> Bin Lu wrote:
>>> Hi,
>>>
>>> Does openldap provide APIs to do server certificate validation? Can
>>> I retrieve the server cert from LDAP connection and do the
>>> validation myself or by passing the trusted CA list openldap will do
>>> it (in this case, how the hostname matching with the subject DN is
>>> performed)?
>>
>> OpenLDAP libldap does server certificate validation according to
>> RFC2830 and 4513. It would be a mistake to duplicate that
>> functionality and do the validation yourself.
>>>
>>> Thanks a lot in advance,
>>>
>>> -blu
>>>
>>
>>
>
>
>
> --
> Dieter Kl?nter | Systemberatung
> https://urldefense.proofpoint.com/v2/url?u=http-3A__sys4.de_&d=AAIFaQ&
> c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=OoT5VLtV-av2TWtGCL3lvA
> fjqGLD0FLH3lQvyqxLjdc&m=S_ZUWYF6j0hu1QhwXZPcobptcN9AaxM2LSp-S7mwnzU&s=
> 58Dib58wruVfi54NPs1PDVD2cXA13wMLqBpDvPSLcdQ&e=
> GPG Key ID: E9ED159B
> 53?37'09,95"N
> 10?08'02,42"E
>
>
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.