[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4383) Enhancement request : Interactive SSL Support

Full_Name: Palaniappan N
Version: Latest
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


This is an enhancement request for the interactiveness of connection over SSL.

The description is as follows:

The Interactive SSL feature is used when the client does not have the
certificate and still wants to connect to the server on a secure channel (SSL)
after verifying  the server certificate. 


The application  provides a callback mechanism that is called to handle the
certificate, when non-trusted certificates are encountered while doing a
connection to an LDAP server. 
If a certificate is not found in the list of trusted certificates, the callback
function is called to review the certificate. This method provides helper
functions to determine and retrieve the characteristics of the certificate, so
the application can decide whether or not to trust the certificate.
The callback function can then choose to accept or reject the certificate.

Certificate Callback Function:

	To create the certificate callback function the following are needed:
1. Determine the criteria for accepting or rejecting certificates based on the
certificate status, issuer, subject, and validity period.
2. Retrieve the certificate status and other certificate information and
determine if the certificate meets the acceptance criteria.
3. Specify whether to accept the certificate or to reject.

Certificate Status:

	The SSL certificate status codes have to be defined. The status code indicates
the reason the callback function was called. For example, the certificate might
be untrusted, contain an invalid date, or a formatting error. In most cases  the
invalid certificates will be rejected, though the application can find out more
about the certificate and decide based on other factors.

User Scenarios where Interactive SSL can be used:

Installing an application which requires an SSL connection to the server , whose
certificate is not available with  the client 

When the client needs to add the certificate automatically rather than manually
to the certificate  store.