Logged in as guest
Viewing Software Enhancements/7398 Full headers
Major security issue: yes no
Notes: Notification:
Date: Fri, 21 Sep 2012 17:20:59 +0000 From: michael@stroeder.com To: openldap-its@OpenLDAP.org Subject: Retrieve LDAP server cert
Full_Name: Michael Str.der Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) Feature request: When using LDAPS or StartTLS it would be sometimes handy to retrieve the LDAP server certificate over the LDAP client API. Opinions?
Date: Fri, 21 Sep 2012 10:43:42 -0700 From: Howard Chu <hyc@symas.com> To: michael@stroeder.com CC: openldap-its@openldap.org Subject: Re: (ITS#7398) Retrieve LDAP server cert
michael@stroeder.com wrote: > Full_Name: Michael Str.der > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) > > > Feature request: > When using LDAPS or StartTLS it would be sometimes handy to retrieve the LDAP > server certificate over the LDAP client API. > > Opinions? And then what? I think it'd be straightforward for us to return a copy of it in DER binary format. What do clients need to do with it? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
To: Howard Chu <hyc@symas.com> Cc: <openldap-its@openldap.org> From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com> Subject: Re: (ITS#7398) Retrieve LDAP server cert Date: Fri, 21 Sep 2012 20:28:02 +0200
On Fri, 21 Sep 2012 10:43:42 -0700 Howard Chu <hyc@symas.com> wrote > michael@stroeder.com wrote: > > Feature request: > > When using LDAPS or StartTLS it would be sometimes handy to retrieve the > > LDAP server certificate over the LDAP client API. > > > > Opinions? > > And then what? I think it'd be straightforward for us to return a copy of it > in DER binary format. What do clients need to do with it? In my case (web2ldap): Simply display it to the user. If it's not too much work this would be a handy feature. Ciao, Michael.
Subject: Re: (ITS#7398) Retrieve LDAP server cert From: Kurt Zeilenga <Kurt@OpenLDAP.org> Date: Fri, 21 Sep 2012 15:53:17 -0700 Cc: openldap-its@OpenLDAP.org To: michael@stroeder.com
Why not just get it from TLS? -- Kurt
Date: Sat, 22 Sep 2012 13:44:15 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: Kurt Zeilenga <Kurt@OpenLDAP.org> CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#7398) Retrieve LDAP server cert
This is a cryptographically signed message in MIME format. --------------ms000108080605020401040901 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Kurt Zeilenga wrote: > Why not just get it from TLS?=20 What exactly do you mean? Ciao, Michael. --------------ms000108080605020401040901 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt 5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z 5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1 3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV 0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9 ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwOTIyMTE0NDE1WjAjBgkq hkiG9w0BCQQxFgQURaD6VwBCA23yunm+7WIzNVeHwy4wbAYJKoZIhvcNAQkPMV8wXTALBglg hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP MHwxCzAJBg
Date: Sat, 22 Sep 2012 15:50:35 +0200 From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no> To: <michael@stroeder.com> Cc: <openldap-its@openldap.org> Subject: Re: (ITS#7398) Retrieve LDAP server cert
michael@stroeder.com wrote: >Kurt Zeilenga wrote: >> Why not just get it from TLS? That does require an #ifdef <which TLS implementation> mess in the client. libldap already has that. > What exactly do you mean? In OpenSSL, SSL_get_peer_certificate(). I note that it might also or instead make sense to ask for the cert chain - OpenSSL SSL_get_peer_cert_chain(). Which quickly dives into how many other TLS session attributes it would make sense to kindly provide an LDAP API interface to... Hallvard
Date: Sat, 22 Sep 2012 15:59:48 +0200 From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no> To: <michael@stroeder.com> Cc: <openldap-its@openldap.org> Subject: Re: (ITS#7398) Retrieve LDAP server cert
I wrote: > In OpenSSL, SSL_get_peer_certificate(). ..after getting the SSL* arg with ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. Which the manpage recommends not doing. At least don't meddle with the SSL* more than you have to. Hallvard
Date: Sat, 22 Sep 2012 16:10:37 +0200 Subject: Re: (ITS#7398) Retrieve LDAP server cert From: "Pierangelo Masarati" <masarati@aero.polimi.it> To: h.b.furuseth@usit.uio.no Cc: openldap-its@openldap.org
> I wrote: >> In OpenSSL, SSL_get_peer_certificate(). > > ..after getting the SSL* arg with > ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. > Which the manpage recommends not doing. At least > don't meddle with the SSL* more than you have to. I presume Michael's case is one of the few in which the client would pay enough attention to details when using such an option. Whether a case like this deserves an OpenLDAP API is questionable, since it is not an LDAP-specific issue, but rather a general SSL wrapping issue. OTOH, as long as clever client design often needs it, I would not object to adding such feature. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Date: Sat, 22 Sep 2012 16:32:29 +0200 From: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <michael@stroeder.com> To: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no> CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#7398) Retrieve LDAP server cert
Hallvard Breien Furuseth wrote: > I wrote: >> In OpenSSL, SSL_get_peer_certificate(). > > ..after getting the SSL* arg with > ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. > Which the manpage recommends not doing. At least > don't meddle with the SSL* more than you have to. Hmm, but then the client has to deal with whether libldap is linked to OpenSSL, libnss or GnuTLS... Unfortunately in the current project where I'm using web2ldap the python-ldap libs are linked against the OpenLDAP libs shipped with Debian => GnuTLS. Ciao, Michael.
Subject: Re: (ITS#7398) Retrieve LDAP server cert From: Kurt Zeilenga <kurt@OpenLDAP.org> Date: Sat, 22 Sep 2012 14:25:41 -0700 Cc: openldap-its@OpenLDAP.org To: michael@stroeder.com
On Sep 22, 2012, at 8:24 AM, michael@stroeder.com wrote: > Hallvard Breien Furuseth wrote: >> I wrote: >>> In OpenSSL, SSL_get_peer_certificate(). >> >> ..after getting the SSL* arg with >> ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. >> Which the manpage recommends not doing. At least >> don't meddle with the SSL* more than you have to. That statement, IIRC, was made mostly because unless you control your build of libldap (or control which libldap you use), you don't know what TLS implementation lies underneath. > Hmm, but then the client has to deal with whether libldap is linked to > OpenSSL, libnss or GnuTLS... Yes. but often that's only one. Anyways, I see little reason to add cert extraction code in libldap. Most folks who need this need this for more than one protocols, and it's easier/better for them to use a common facilities for doing this across all these protocols. But, hey, if someone wants to write such code for all the supported TLS layers, have at it. But like most things for non-OpenSSL, your mileage will vary. > > Ciao, Michael. > >
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
