Full_Name: Michael Str�der Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) Feature request: When using LDAPS or StartTLS it would be sometimes handy to retrieve the LDAP server certificate over the LDAP client API. Opinions?
michael@stroeder.com wrote: > Full_Name: Michael Ströder > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) > > > Feature request: > When using LDAPS or StartTLS it would be sometimes handy to retrieve the LDAP > server certificate over the LDAP client API. > > Opinions? And then what? I think it'd be straightforward for us to return a copy of it in DER binary format. What do clients need to do with it? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Fri, 21 Sep 2012 10:43:42 -0700 Howard Chu <hyc@symas.com> wrote > michael@stroeder.com wrote: > > Feature request: > > When using LDAPS or StartTLS it would be sometimes handy to retrieve the > > LDAP server certificate over the LDAP client API. > > > > Opinions? > > And then what? I think it'd be straightforward for us to return a copy of it > in DER binary format. What do clients need to do with it? In my case (web2ldap): Simply display it to the user. If it's not too much work this would be a handy feature. Ciao, Michael.
Why not just get it from TLS? -- Kurt
Kurt Zeilenga wrote: > Why not just get it from TLS? What exactly do you mean? Ciao, Michael.
michael@stroeder.com wrote: >Kurt Zeilenga wrote: >> Why not just get it from TLS? That does require an #ifdef <which TLS implementation> mess in the client. libldap already has that. > What exactly do you mean? In OpenSSL, SSL_get_peer_certificate(). I note that it might also or instead make sense to ask for the cert chain - OpenSSL SSL_get_peer_cert_chain(). Which quickly dives into how many other TLS session attributes it would make sense to kindly provide an LDAP API interface to... Hallvard
I wrote: > In OpenSSL, SSL_get_peer_certificate(). ..after getting the SSL* arg with ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. Which the manpage recommends not doing. At least don't meddle with the SSL* more than you have to. Hallvard
> I wrote: >> In OpenSSL, SSL_get_peer_certificate(). > > ..after getting the SSL* arg with > ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. > Which the manpage recommends not doing. At least > don't meddle with the SSL* more than you have to. I presume Michael's case is one of the few in which the client would pay enough attention to details when using such an option. Whether a case like this deserves an OpenLDAP API is questionable, since it is not an LDAP-specific issue, but rather a general SSL wrapping issue. OTOH, as long as clever client design often needs it, I would not object to adding such feature. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Hallvard Breien Furuseth wrote: > I wrote: >> In OpenSSL, SSL_get_peer_certificate(). > > ..after getting the SSL* arg with > ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. > Which the manpage recommends not doing. At least > don't meddle with the SSL* more than you have to. Hmm, but then the client has to deal with whether libldap is linked to OpenSSL, libnss or GnuTLS... Unfortunately in the current project where I'm using web2ldap the python-ldap libs are linked against the OpenLDAP libs shipped with Debian => GnuTLS. Ciao, Michael.
On Sep 22, 2012, at 8:24 AM, michael@stroeder.com wrote: > Hallvard Breien Furuseth wrote: >> I wrote: >>> In OpenSSL, SSL_get_peer_certificate(). >> >> ..after getting the SSL* arg with >> ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. >> Which the manpage recommends not doing. At least >> don't meddle with the SSL* more than you have to. That statement, IIRC, was made mostly because unless you control your build of libldap (or control which libldap you use), you don't know what TLS implementation lies underneath. > Hmm, but then the client has to deal with whether libldap is linked to > OpenSSL, libnss or GnuTLS... Yes. but often that's only one. Anyways, I see little reason to add cert extraction code in libldap. Most folks who need this need this for more than one protocols, and it's easier/better for them to use a common facilities for doing this across all these protocols. But, hey, if someone wants to write such code for all the supported TLS layers, have at it. But like most things for non-OpenSSL, your mileage will vary. > > Ciao, Michael. > >
moved from Incoming to Software Enhancements
Michael Ströder wrote: > On Fri, 21 Sep 2012 10:43:42 -0700 Howard Chu <hyc@symas.com> wrote >> michael@stroeder.com wrote: >>> Feature request: >>> When using LDAPS or StartTLS it would be sometimes handy to retrieve the >>> LDAP server certificate over the LDAP client API. >>> >>> Opinions? >> >> And then what? I think it'd be straightforward for us to return a copy of it >> in DER binary format. What do clients need to do with it? > > In my case (web2ldap): Simply display it to the user. Probably would have been easier to just return the signature. > If it's not too much work this would be a handy feature. Added in master, please test - I have not tested any of this. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test
added in master