[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hooks for handling SSL/TLS session etc in application

To: openldap-software@OpenLDAP.org
Subject: Re: Hooks for handling SSL/TLS session etc in application
From: Howard Chu <hyc@symas.com>
Date: Mon, 22 Nov 2004 19:12:09 -0800
Cc: Leif Thuresson <leif.thuresson@tfstech.com>
In-reply-to: <41A2073F.1010909@symas.com>
References: <4D12E2576F.03040019TFSDVMQV@tfstech.com> <41A2073F.1010909@symas.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

Howard Chu wrote:

Leif Thuresson wrote:
I want to write and LDAP client that use TLS and have an external session cache that are preserved between program invocations. When I looked at the TLS module source I didn't find any support for hooking in external routines for session management which means I would have to modify the OpenLDAP lib source (something that I really would like to avoid since it would be a pain every time I want to upgrade the library) After some searching on the web I found a discussion with the OpenLDAP developers from 2002 about adding possibilities for external session handling (http://www.openldap.org/lists/openldap-devel/200209/msg00072.html), but nothing after that. Does anyone know what the current status is on this issue ?

I guess it got dropped. The library now sets the session ID, and OpenSSL defaults to server session caching, so caching is automatically supported on slapd. But no callback hooks were ever implemented to allow enabling or selecting a session on the client side.


I've just committed a patch for this to CVS HEAD.

Your app would do something like this:

LDAP_TLS_CONNECT_CB my_callback;

typedef struct my_context {
   /* whatever state info the callback might need */
   SSL *ssl;
   SSL_CTX *ssl_ctx;
   SSL_SESSION *session;
} my_context;

main() {
   int rc;
   LDAP *ld;
   SSL_CTX *ctx;
   my_context my_ctx;

   /* Initialize libldap, get an LDAP handle */
   rc = ldap_initialize( &ld, "ldap://foo.com"; );

   /* Make sure the TLS part of libldap gets initialized */
   ldap_pvt_tls_init();
   ldap_pvt_tls_init_def_ctx();

   /* Get libldap's default SSL_CTX, enable client session caching */
   ldap_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx );
   SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_CLIENT );

/* Save the SSL_CTX, set up the callback */ my_ctx.ssl_ctx = ctx; my_ctx.ssl = NULL; my_ctx.session = NULL; ldap_set_option( ld, LDAP_OPT_X_TLS_CONNECT_CB, my_callback ); ldap_set_option( ld, LDAP_OPT_X_TLS_CONNECT_ARG, &my_ctx ); ... /* The first time we open a connection, the callback will remember the SSL handle. Once * the connection is in progress, we retrieve the SSL_SESSION from that handle. */ rc = ldap_bind_s( ld, "cn=foo", "secret", LDAP_AUTH_SIMPLE ); if ( my_ctx.ssl ) my_ctx.session = SSL_get1_session( my_ctx.ssl );

/* Now that we have the session, the callback will automatically assign it to all subsequent connections. */ ... }

int my_callback( LDAP *ld, SSL *ssl, SSL_CTX *ctx, void *arg )
{
   my_context *my_ctx = arg;
   if ( ctx != my_ctx->ssl_ctx ) return 0;

if ( !my_ctx->ssl ) { my_ctx->ssl = ssl; return 0; } if ( my_ctx->session ) SSL_set_session( ssl, my_ctx->session ); return 0; }

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

References:
- Hooks for handling SSL/TLS session etc in application
  - From: Leif Thuresson <leif.thuresson@tfstech.com>
- Re: Hooks for handling SSL/TLS session etc in application
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: OpenLDAP 2.2 and BDB not listening...
Next by Date: Re: OpenLDAP 2.2 and BDB not listening...
Index(es):
- Chronological
- Thread