[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: error reporting in tls_get_cert()

That's not quite how it works. tls_get_cert doesn't verify anything, that's
something that the SSL library does by itself. TLS verification status is
already logged at every stage of the procedure by tls_verify_cb (callback
function). tls_get_cert ignores the verify result because it has already
been logged long before tls_get_cert is invoked. Even running at debug level
1 is sufficient to display these messages.

I think the problem here is that by default, a cert verify failure is not
treated as a fatal error, so the error is ignored. You can set the behavior
on a cert failure using the TLS_REQCERT option in your .ldaprc, but the
default is non-fatal. However, the ldap_pvt_tls_check_hostname function
always considers it a fatal error if it cannot obtain the peer's
certificate. Perhaps we should change the client default (and eliminate the
TLS_REQCERT option) since we're pretty much requiring it now. Either that or
we tie ldap_pvt_tls_check_hostname's behavior to the TLS_REQCERT setting, so
that it is also non-fatal by default. My tendency here is to lean on the
conservative side since that's the point of using TLS in the first place,
and make the default be to treat verify failures as fatal errors.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kervin L. Pierre

> Hello,
> I've been trying to track down the reason for SSL/TLS not working on my
> system from current CVS.
> In the function tls_get_cert() verifies certs, but lumps all errors
> returned from SSL_get_verify_result() as "bad certificate".
> The test in tls_get_cert() looks like...
> tls_get_cert( SSL *s )
> {
>          /* If peer cert was bad, treat as if no cert was given */
>          if (SSL_get_verify_result(s)) {
>                  /* If we can send an alert, do so */
> ...
> The value returned from SSL_get_verify_result() is thrown away.  But
> this value is important for debugging and should be reported to the
> user.  The error messages for the return value can be found in the
> "openssl verify" manpage or http://www.openssl.org/docs/apps/verify.html
> I know logging is in flux right now.  But can this be reported to the
> user at some debug level?  I am willing to do the patch if advised.
> --Kervin