[Date Prev][Date Next]
RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)
- To: <openldap-devel@OpenLDAP.org>
- Subject: RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)
- From: "Howard Chu" <email@example.com>
- Date: Tue, 14 Oct 2003 13:28:03 -0700
- Importance: Normal
- In-reply-to: <200310141906.h9EJ64HS093025@boole.openldap.org>
I believe a related issue was recently raised on the -software list; the
ldap_set_option TLS_CTX doesn't work on a fresh LDAP* because ld->ld_defconn
doesn't get created until an actual request is made that needs a connection.
The ld_defconn then gets used right away, without giving an opportunity to
reconfigure it. So you can't override things on a per-session basis, you must
override the global tls_def_ctx.
Given that we have this unusable ldap_set_option function at the moment, we
can either remove it or make it work by adding a ld_tls_ctx pointer to the
LDAP*, so it can be set before the ld_defconn is created. But this creates an
ambiguity in the ldap_get_option side... What next?
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> Sent: Tuesday, October 14, 2003 12:06 PM
> To: openldap-its@OpenLDAP.org
> Subject: Re: Flexibility to use customized "verify_callback"
> while using
> OpenLdap with TLS (ITS#2767)
> A couple of quick comments (without really look at your tls.c
> patch... I'll leave most of that to others who are more familiar
> with that code).
> Setting of options should be done through the ldap_set_option(3) API.
> Likely should support global and per-session callbacks.
> supports both. Also, we shouldn't provide options for things which
> can be managed through the TLS_CTX option. That is, -lldap should
> avoid knowing too much about OpenSSL and/or TLS details.
> Lastly, no file in the tarball include a notice See
> <http://www.openldap.org/devel/contributing.html> for guidelines.
> I suggest you provide a notice in a separate COPYRIGHT file.
> At 08:14 AM 10/14/2003, firstname.lastname@example.org wrote:
> >Full_Name: Prashant Kumar.
> >Version: 2.1.22 (20030709)
> >OS: Linux
> >URL: ftp://ftp.openldap.org/incoming/
> >Submission from: (NULL) (126.96.36.199)
> >Right now, while using OpenLdap with TLS/SSL, there are no
> API's to specify user
> >customized "verify_callback" and "verify_depth". Also, there
> are no API's to
> >input the CA cert, client cert and client cert key onto the
> SSL context in the
> >binary (DER) format (right now, OpenLdap reads all these
> info from PEM files
> >whose path is specified in the "ldap.conf").
> >This enhancement adds following API's to OpenLdap library
> which will allow the
> >user to do all the above things:
> >/*To set the verify callback*/
> >ldap_set_tls_verify_callback (
> > int (*tls_verify_callback)(int, struct x509_store_ctx_s *));
> >/*To set the verify depth*/
> >ldap_set_tls_verify_depth (unsigned int verify_depth);
> >/*To set the CA cert*/
> >ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);
> >/*To set the client cert*/
> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
> unsigned int len);
> >/*To set the client cert key*/
> >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey,
> unsigned int len);
> >I have changed two files "include/ldap.h" and
> "libraries/libldap/tls.c" to
> >accommodate these features and I have uploaded these changes
> as a tar ball (this
> >tar ball has 2 patches, one for ldap.h and other one for tls.c) onto
> >"ftp://ftp.openldap.org/incoming/". The tar ball name is
> >Thank you,
> >Prashant Kumar