[Date Prev][Date Next]
Re: (ITS#4383) Enhancement request : Interactive SSL Support
It strikes me that anyone wanting to use such a feature must already
know a lot more about the underlying SSL API.
As such, this capability already exists - just use ldap_get_option to
retrieve the current TLS context and use the appropriate OpenSSL API to
set your own RSA callback function.
> Full_Name: Palaniappan N
> Version: Latest
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (220.127.116.11)
> This is an enhancement request for the interactiveness of connection over SSL.
> The description is as follows:
> The Interactive SSL feature is used when the client does not have the
> certificate and still wants to connect to the server on a secure channel (SSL)
> after verifying the server certificate.
> The application provides a callback mechanism that is called to handle the
> certificate, when non-trusted certificates are encountered while doing a
> connection to an LDAP server.
> If a certificate is not found in the list of trusted certificates, the callback
> function is called to review the certificate. This method provides helper
> functions to determine and retrieve the characteristics of the certificate, so
> the application can decide whether or not to trust the certificate.
> The callback function can then choose to accept or reject the certificate.
> Certificate Callback Function:
> To create the certificate callback function the following are needed:
> 1. Determine the criteria for accepting or rejecting certificates based on the
> certificate status, issuer, subject, and validity period.
> 2. Retrieve the certificate status and other certificate information and
> determine if the certificate meets the acceptance criteria.
> 3. Specify whether to accept the certificate or to reject.
> Certificate Status:
> The SSL certificate status codes have to be defined. The status code indicates
> the reason the callback function was called. For example, the certificate might
> be untrusted, contain an invalid date, or a formatting error. In most cases the
> invalid certificates will be rejected, though the application can find out more
> about the certificate and decide based on other factors.
> User Scenarios where Interactive SSL can be used:
> Installing an application which requires an SSL connection to the server , whose
> certificate is not available with the client
> When the client needs to add the certificate automatically rather than manually
> to the certificate store.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/