[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4383) Enhancement request : Interactive SSL Support

It strikes me that anyone wanting to use such a feature must already 
know a lot more about the underlying SSL API.
As such, this capability already exists - just use ldap_get_option to 
retrieve the current TLS context and use the appropriate OpenSSL API to 
set your own RSA callback function.

npalaniappan@novell.com wrote:
> Full_Name: Palaniappan N
> Version: Latest
> OS: 
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Hi,
> This is an enhancement request for the interactiveness of connection over SSL.
> The description is as follows:
> The Interactive SSL feature is used when the client does not have the
> certificate and still wants to connect to the server on a secure channel (SSL)
> after verifying  the server certificate. 
> Interactiveness:
> The application  provides a callback mechanism that is called to handle the
> certificate, when non-trusted certificates are encountered while doing a
> connection to an LDAP server. 
> If a certificate is not found in the list of trusted certificates, the callback
> function is called to review the certificate. This method provides helper
> functions to determine and retrieve the characteristics of the certificate, so
> the application can decide whether or not to trust the certificate.
> The callback function can then choose to accept or reject the certificate.
> Certificate Callback Function:
> 	To create the certificate callback function the following are needed:
> 1. Determine the criteria for accepting or rejecting certificates based on the
> certificate status, issuer, subject, and validity period.
> 2. Retrieve the certificate status and other certificate information and
> determine if the certificate meets the acceptance criteria.
> 3. Specify whether to accept the certificate or to reject.
> Certificate Status:
> 	The SSL certificate status codes have to be defined. The status code indicates
> the reason the callback function was called. For example, the certificate might
> be untrusted, contain an invalid date, or a formatting error. In most cases  the
> invalid certificates will be rejected, though the application can find out more
> about the certificate and decide based on other factors.
> User Scenarios where Interactive SSL can be used:
> Installing an application which requires an SSL connection to the server , whose
> certificate is not available with  the client 
> When the client needs to add the certificate automatically rather than manually
> to the certificate  store.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/