OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/2767
Full headers

From: prkumar@nortelnetworks.com
Subject: Flexibility to use customized "verify_callback" while using OpenLdap with TLS
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 14 Oct 2003 15:14:16 GMT
From: prkumar@nortelnetworks.com
To: openldap-its@OpenLDAP.org
Subject: Flexibility to use customized "verify_callback" while using OpenLdap with TLS
Full_Name: Prashant Kumar.
Version: 2.1.22 (20030709)
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.234.0.52)


Right now, while using OpenLdap with TLS/SSL, there are no API's to specify user
customized "verify_callback" and "verify_depth". Also, there are no API's to
input the CA cert, client cert and client cert key onto the SSL context in the
binary (DER) format (right now, OpenLdap reads all these info from PEM files
whose path is specified in the "ldap.conf").

This enhancement adds following API's to OpenLdap library which will allow the
user to do all the above things:

/*To set the verify callback*/
ldap_set_tls_verify_callback (
      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));

/*To set the verify depth*/
ldap_set_tls_verify_depth (unsigned int verify_depth);

/*To set the CA cert*/
ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);

/*To set the client cert*/
ldap_set_tls_clientcert_bin (unsigned char *clientcert, unsigned int len);

/*To set the client cert key*/
ldap_set_tls_clientcert_key_bin (unsigned char *clientkey, unsigned int len);

I have changed two files "include/ldap.h" and "libraries/libldap/tls.c" to
accommodate these features and I have uploaded these changes as a tar ball (this
tar ball has 2 patches, one for ldap.h and other one for tls.c) onto
"ftp://ftp.openldap.org/incoming/". The tar ball name is
"prashant-kumar-openldap-031014.tgz"


Thank you,
Prashant Kumar


Followup 1

Download message
Date: Tue, 14 Oct 2003 12:04:05 -0700
To: prkumar@nortelnetworks.com
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Flexibility to use customized "verify_callback" while
  using OpenLdap with TLS (ITS#2767)
Cc: openldap-its@OpenLDAP.org
A couple of quick comments (without really look at your tls.c
patch... I'll leave most of that to others who are more familiar
with that code).

Setting of options should be done through the ldap_set_option(3) API.
Likely should support global and per-session callbacks.  ldap_set_option(3)
supports both.  Also, we shouldn't provide options for things which
can be managed through the TLS_CTX option.  That is, -lldap should
avoid knowing too much about OpenSSL and/or TLS details.

Lastly, no file in the tarball include a notice  See
<http://www.openldap.org/devel/contributing.html> for guidelines.
I suggest you provide a notice in a separate COPYRIGHT file.

Kurt


At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
>Full_Name: Prashant Kumar.
>Version: 2.1.22 (20030709)
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (47.234.0.52)
>
>
>Right now, while using OpenLdap with TLS/SSL, there are no API's to specify
user
>customized "verify_callback" and "verify_depth". Also, there are no API's to
>input the CA cert, client cert and client cert key onto the SSL context in
the
>binary (DER) format (right now, OpenLdap reads all these info from PEM files
>whose path is specified in the "ldap.conf").
>
>This enhancement adds following API's to OpenLdap library which will allow
the
>user to do all the above things:
>
>/*To set the verify callback*/
>ldap_set_tls_verify_callback (
>      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));
>
>/*To set the verify depth*/
>ldap_set_tls_verify_depth (unsigned int verify_depth);
>
>/*To set the CA cert*/
>ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);
>
>/*To set the client cert*/
>ldap_set_tls_clientcert_bin (unsigned char *clientcert, unsigned int len);
>
>/*To set the client cert key*/
>ldap_set_tls_clientcert_key_bin (unsigned char *clientkey, unsigned int
len);
>
>I have changed two files "include/ldap.h" and "libraries/libldap/tls.c" to
>accommodate these features and I have uploaded these changes as a tar ball
(this
>tar ball has 2 patches, one for ldap.h and other one for tls.c) onto
>"ftp://ftp.openldap.org/incoming/". The tar ball name is
>"prashant-kumar-openldap-031014.tgz"
>
>
>Thank you,
>Prashant Kumar



Followup 2

Download message
From: "Prashant Kumar" <prkumar@nortelnetworks.com>
To: openldap-its@OpenLDAP.org
Subject: (ITS#2767)
Date: Tue, 14 Oct 2003 16:54:36 -0400
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C39295.60A6E0BC
Content-Type: text/plain

Kurt, 

Thanks a lot for your comments. I will modify my code to provide 
those options through ldap_set_options (I will wait for comments 
from others so that I can make all these changes in one shot :)). 

The way TLS_CTX is set right now, it does not provide enough 
flexibility to the user of -ldap to customize things based on 
his requirements. For example, 

1. "verify_callback", depending on the application, the user 
   may like to handle certificate in their on customized way. 
   However, -ldap forces the user to use the default way the 
   openldap provides, that is to use "tls_verify_cb" or use 
   "tls_verify_ok".

2. verify depth. I don't see any options in TLS_CTX to control 
   this. 

3. -ldap forces the user to specify the cert files in the PEM format 
   in a file. 

I do agree with you that it may not be a good option to expose 
too much of OpenSsl to the user. However, I don't see a problem 
with exposing TLS to the user if we wants to use OpenLdap over 
TLS/SSL. If OpenLdap supports running over TLS, I guess, we should 
provide complete set of options to customize TLS on the need 
basis. 

I will add the COPYRIGHT file. 

Thank you again for your feedback. 

Regards, 
Prashant Kumar. 


------_=_NextPart_001_01C39295.60A6E0BC
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2656.31">
<TITLE>(ITS#2767)</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2 FACE="Arial">Kurt, </FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">Thanks a lot for your comments. I will
modify my code to provide </FONT>
<BR><FONT SIZE=2 FACE="Arial">those options through ldap_set_options
(I will wait for comments </FONT>
<BR><FONT SIZE=2 FACE="Arial">from others so that I can make all
these changes in one shot :)). </FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">The way TLS_CTX is set right now, it
does not provide enough </FONT>
<BR><FONT SIZE=2 FACE="Arial">flexibility to the user of -ldap to
customize things based on </FONT>
<BR><FONT SIZE=2 FACE="Arial">his requirements. For example,
</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">1. &quot;verify_callback&quot;,
depending on the application, the user </FONT>
<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp; may like to
handle certificate in their on customized way. </FONT>
<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp; However, -ldap
forces the user to use the default way the </FONT>
<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp; openldap
provides, that is to use &quot;tls_verify_cb&quot; or use </FONT>
<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp;
&quot;tls_verify_ok&quot;.</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">2. verify depth. I don't see any
options in TLS_CTX to control </FONT>
<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp; this.
</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">3. -ldap forces the user to specify the
cert files in the PEM format </FONT>
<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp; in a file.
</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">I do agree with you that it may not be
a good option to expose </FONT>
<BR><FONT SIZE=2 FACE="Arial">too much of OpenSsl to the user.
However, I don't see a problem </FONT>
<BR><FONT SIZE=2 FACE="Arial">with exposing TLS to the user if we
wants to use OpenLdap over </FONT>
<BR><FONT SIZE=2 FACE="Arial">TLS/SSL. If OpenLdap supports running
over TLS, I guess, we should </FONT>
<BR><FONT SIZE=2 FACE="Arial">provide complete set of options to
customize TLS on the need </FONT>
<BR><FONT SIZE=2 FACE="Arial">basis. </FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">I will add the COPYRIGHT file.
</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">Thank you again for your feedback.
</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">Regards, </FONT>
<BR><FONT SIZE=2 FACE="Arial">Prashant Kumar. </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C39295.60A6E0BC--



Followup 3

Download message
From: "Prashant Kumar" <prkumar@nortelnetworks.com>
To: openldap-its@OpenLDAP.org
Subject: (ITS#2767)
Date: Thu, 16 Oct 2003 16:30:13 -0400
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C39424.4D5FD82A
Content-Type: text/plain

After I got suggestions from the OpenLdap Developers group, I have
incorporated
changes to set all the options through "ldap_set_options" API. The new tar
ball
is "prashant-kumar-031016.tgz".



------_=_NextPart_001_01C39424.4D5FD82A
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2656.31">
<TITLE>(ITS#2767)</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2 FACE="Arial">After I got suggestions from the
OpenLdap Developers group, I have incorporated</FONT>
<BR><FONT SIZE=2 FACE="Arial">changes to set all the options through
&quot;ldap_set_options&quot; API. The new tar ball</FONT>
<BR><FONT SIZE=2 FACE="Arial">is
&quot;prashant-kumar-031016.tgz&quot;.</FONT>
</P>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C39424.4D5FD82A--


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org