[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS behavior


I'm interested in TLS support in openldap client apps and libraries.  I
have been meaning look at this for some time, but only recently I finally
downloaded and worked a bit with openldap 2.0.23.  Since my question has
to do with how the library handles certificates, and whether a developer
can customize this behavior, I decided to post it here rather than

My understanding of client TLS support (i.e.  command line tools like
ldapsearch, or apps that use libldap) is the following:

1) it enforces the requirement that the subject DN in the certificate
contain the FQDN of the hostname you supplied,

2) if the FQDN does not match the cn in the subject DN, it will look in
the subjectAltName extension for a match.  This is helpful for load
balancers scenarios where the FQDN would not match the subject DN,

3) no CA certificate checking is done.

Supposedly steps 1 and 2 are to guard against man-in-the-middle attacks,
but I can't find any reference anywhere for how to configure a client with
a local store of 'trusted root CA certificates'.  This means that a
man-in-the-middle attack is still possible.  I have run 'strace' on
ldapsearch and have not seen it trying to find trusted roots anywhere.

Can anyone provide a bit of insight?  Is there any provision for
certificate verification callbacks to override this default behavior.
Also my understanding is that the practice of two ports for each app (one
regular port and one SSL/TLS port) is being deprecated.  Does the openldap
library only support the start-tls on port 389 now, or is SSL/TLS on port
636 still supported?