OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/7398
Full headers

From: michael@stroeder.com
Subject: Retrieve LDAP server cert
Compose comment
Download message
State:
0 replies:
10 followups: 1 2 3 4 5 6 7 8 9 10

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 21 Sep 2012 17:20:59 +0000
From: michael@stroeder.com
To: openldap-its@OpenLDAP.org
Subject: Retrieve LDAP server cert
Full_Name: Michael Str.der
Version: 
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)


Feature request:
When using LDAPS or StartTLS it would be sometimes handy to retrieve the LDAP
server certificate over the LDAP client API.

Opinions?

Followup 1

Download message
Date: Fri, 21 Sep 2012 10:43:42 -0700
From: Howard Chu <hyc@symas.com>
To: michael@stroeder.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#7398) Retrieve LDAP server cert
michael@stroeder.com wrote:
> Full_Name: Michael Str.der
> Version: 
> OS: 
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
> 
> 
> Feature request:
> When using LDAPS or StartTLS it would be sometimes handy to retrieve the
LDAP
> server certificate over the LDAP client API.
> 
> Opinions?

And then what? I think it'd be straightforward for us to return a copy of it
in DER binary format. What do clients need to do with it?

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
To: Howard Chu <hyc@symas.com>
Cc: <openldap-its@openldap.org>
From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com>
Subject: Re: (ITS#7398) Retrieve LDAP server cert
Date: Fri, 21 Sep 2012 20:28:02 +0200
On Fri, 21 Sep 2012 10:43:42 -0700 Howard Chu <hyc@symas.com> wrote
> michael@stroeder.com wrote:
> > Feature request:
> > When using LDAPS or StartTLS it would be sometimes handy to retrieve
the
> > LDAP server certificate over the LDAP client API.
> > 
> > Opinions?
> 
> And then what? I think it'd be straightforward for us to return a copy of
it
> in DER binary format. What do clients need to do with it?

In my case (web2ldap): Simply display it to the user.

If it's not too much work this would be a handy feature.

Ciao, Michael.




Followup 3

Download message
Subject: Re: (ITS#7398) Retrieve LDAP server cert
From: Kurt Zeilenga <Kurt@OpenLDAP.org>
Date: Fri, 21 Sep 2012 15:53:17 -0700
Cc: openldap-its@OpenLDAP.org
To: michael@stroeder.com
Why not just get it from TLS? 

-- Kurt



Followup 4

Download message
Date: Sat, 22 Sep 2012 13:44:15 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: Kurt Zeilenga <Kurt@OpenLDAP.org>
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7398) Retrieve LDAP server cert
This is a cryptographically signed message in MIME format.

--------------ms000108080605020401040901
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Kurt Zeilenga wrote:
> Why not just get it from TLS?=20

What exactly do you mean?

Ciao, Michael.


--------------ms000108080605020401040901
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC
BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG
EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM
MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF
MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M
VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K
b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/
kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB
1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC
EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0
Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw
QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1
c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/
BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2
KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj
Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M
MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK
KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR
GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4
B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ
FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx
QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw
ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl
ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ
MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV
BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz
IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt
5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z
5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH
hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1
3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst
smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB
BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv
dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p
dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ
dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB
MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E
gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k
ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu
dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy
MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE
m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV
0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz
UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9
ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X
iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU
QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD
bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwOTIyMTE0NDE1WjAjBgkq
hkiG9w0BCQQxFgQURaD6VwBCA23yunm+7WIzNVeHwy4wbAYJKoZIhvcNAQkPMV8wXTALBglg
hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq
hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP
MHwxCzAJBg

Message of length 5833 truncated


Followup 5

Download message
Date: Sat, 22 Sep 2012 15:50:35 +0200
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
To: <michael@stroeder.com>
Cc: <openldap-its@openldap.org>
Subject: Re: (ITS#7398) Retrieve LDAP server cert
 michael@stroeder.com wrote:
>Kurt Zeilenga wrote:
>> Why not just get it from TLS?

 That does require an #ifdef <which TLS implementation> mess in
 the client.  libldap already has that.

> What exactly do you mean?

 In OpenSSL, SSL_get_peer_certificate().

 I note that it might also or instead make sense to ask for the
 cert chain - OpenSSL SSL_get_peer_cert_chain().  Which quickly
 dives into how many other TLS session attributes it would make
 sense to kindly provide an LDAP API interface to...

 Hallvard



Followup 6

Download message
Date: Sat, 22 Sep 2012 15:59:48 +0200
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
To: <michael@stroeder.com>
Cc: <openldap-its@openldap.org>
Subject: Re: (ITS#7398) Retrieve LDAP server cert
 I wrote:
> In OpenSSL, SSL_get_peer_certificate().

 ..after getting the SSL* arg with
 ldap_get_option LDAP_OPT_X_TLS_SSL_CTX.
 Which the manpage recommends not doing.  At least
 don't meddle with the SSL* more than you have to.

 Hallvard



Followup 7

Download message
Date: Sat, 22 Sep 2012 16:10:37 +0200
Subject: Re: (ITS#7398) Retrieve LDAP server cert
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: h.b.furuseth@usit.uio.no
Cc: openldap-its@openldap.org
>  I wrote:
>> In OpenSSL, SSL_get_peer_certificate().
>
>  ..after getting the SSL* arg with
>  ldap_get_option LDAP_OPT_X_TLS_SSL_CTX.
>  Which the manpage recommends not doing.  At least
>  don't meddle with the SSL* more than you have to.

I presume Michael's case is one of the few in which the client would pay
enough attention to details when using such an option.

Whether a case like this deserves an OpenLDAP API is questionable, since
it is not an LDAP-specific issue, but rather a general SSL wrapping issue.
 OTOH, as long as clever client design often needs it, I would not object
to adding such feature.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 8

Download message
Date: Sat, 22 Sep 2012 16:32:29 +0200
From: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <michael@stroeder.com>
To: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7398) Retrieve LDAP server cert
Hallvard Breien Furuseth wrote:
> I wrote:
>> In OpenSSL, SSL_get_peer_certificate().
> 
> ..after getting the SSL* arg with
> ldap_get_option LDAP_OPT_X_TLS_SSL_CTX.
> Which the manpage recommends not doing.  At least
> don't meddle with the SSL* more than you have to.

Hmm, but then the client has to deal with whether libldap is linked to
OpenSSL, libnss or GnuTLS...

Unfortunately in the current project where I'm using web2ldap the python-ldap
libs are linked against the OpenLDAP libs shipped with Debian => GnuTLS.

Ciao, Michael.



Followup 9

Download message
Subject: Re: (ITS#7398) Retrieve LDAP server cert
From: Kurt Zeilenga <kurt@OpenLDAP.org>
Date: Sat, 22 Sep 2012 14:25:41 -0700
Cc: openldap-its@OpenLDAP.org
To: michael@stroeder.com
On Sep 22, 2012, at 8:24 AM, michael@stroeder.com wrote:

> Hallvard Breien Furuseth wrote:
>> I wrote:
>>> In OpenSSL, SSL_get_peer_certificate().
>> 
>> ..after getting the SSL* arg with
>> ldap_get_option LDAP_OPT_X_TLS_SSL_CTX.
>> Which the manpage recommends not doing.  At least
>> don't meddle with the SSL* more than you have to.

That statement, IIRC, was made mostly because unless you control your build of
libldap (or control which libldap you use), you don't know what TLS
implementation lies underneath.

> Hmm, but then the client has to deal with whether libldap is linked to
> OpenSSL, libnss or GnuTLS...

Yes. but often that's only one. 

Anyways, I see little reason to add cert extraction code in libldap.  Most folks
who need this need this for more than one protocols, and it's easier/better for
them to use a common facilities for doing this across all these protocols.

But, hey, if someone wants to write such code for all the supported TLS layers,
have at it.  But like most things for non-OpenSSL, your mileage will vary.

> 
> Ciao, Michael.
> 
> 




Followup 10

Download message
Date: Tue, 10 Sep 2013 04:32:51 -0700
From: Howard Chu <hyc@symas.com>
To: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <michael@stroeder.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#7398) Retrieve LDAP server cert
Michael Str..der wrote:
> On Fri, 21 Sep 2012 10:43:42 -0700 Howard Chu <hyc@symas.com> wrote
>> michael@stroeder.com wrote:
>>> Feature request:
>>> When using LDAPS or StartTLS it would be sometimes handy to
retrieve the
>>> LDAP server certificate over the LDAP client API.
>>>
>>> Opinions?
>>
>> And then what? I think it'd be straightforward for us to return a copy
of it
>> in DER binary format. What do clients need to do with it?
>
> In my case (web2ldap): Simply display it to the user.

Probably would have been easier to just return the signature.

> If it's not too much work this would be a handy feature.

Added in master, please test - I have not tested any of this.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org