[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)

How about we change the code so that when the program did
a ldap_get_option( ld, TLS_CTX ) would cause, if done before
the first starttls request, early creation of the context


At 01:28 PM 10/14/2003, Howard Chu wrote:
>I believe a related issue was recently raised on the -software list; the
>ldap_set_option  TLS_CTX doesn't work on a fresh LDAP* because ld->ld_defconn
>doesn't get created until an actual request is made that needs a connection.
>The ld_defconn then gets used right away, without giving an opportunity to
>reconfigure it. So you can't override things on a per-session basis, you must
>override the global tls_def_ctx.
>Given that we have this unusable ldap_set_option function at the moment, we
>can either remove it or make it work by adding a ld_tls_ctx pointer to the
>LDAP*, so it can be set before the ld_defconn is created. But this creates an
>ambiguity in the ldap_get_option side... What next?
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>> -----Original Message-----
>> From: owner-openldap-bugs@OpenLDAP.org
>> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
>> Kurt@OpenLDAP.org
>> Sent: Tuesday, October 14, 2003 12:06 PM
>> To: openldap-its@OpenLDAP.org
>> Subject: Re: Flexibility to use customized "verify_callback"
>> while using
>> OpenLdap with TLS (ITS#2767)
>> A couple of quick comments (without really look at your tls.c
>> patch... I'll leave most of that to others who are more familiar
>> with that code).
>> Setting of options should be done through the ldap_set_option(3) API.
>> Likely should support global and per-session callbacks.
>> ldap_set_option(3)
>> supports both.  Also, we shouldn't provide options for things which
>> can be managed through the TLS_CTX option.  That is, -lldap should
>> avoid knowing too much about OpenSSL and/or TLS details.
>> Lastly, no file in the tarball include a notice  See
>> <http://www.openldap.org/devel/contributing.html> for guidelines.
>> I suggest you provide a notice in a separate COPYRIGHT file.
>> Kurt
>> At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
>> >Full_Name: Prashant Kumar.
>> >Version: 2.1.22 (20030709)
>> >OS: Linux
>> >URL: ftp://ftp.openldap.org/incoming/
>> >Submission from: (NULL) (
>> >
>> >
>> >Right now, while using OpenLdap with TLS/SSL, there are no
>> API's to specify user
>> >customized "verify_callback" and "verify_depth". Also, there
>> are no API's to
>> >input the CA cert, client cert and client cert key onto the
>> SSL context in the
>> >binary (DER) format (right now, OpenLdap reads all these
>> info from PEM files
>> >whose path is specified in the "ldap.conf").
>> >
>> >This enhancement adds following API's to OpenLdap library
>> which will allow the
>> >user to do all the above things:
>> >
>> >/*To set the verify callback*/
>> >ldap_set_tls_verify_callback (
>> >      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));
>> >
>> >/*To set the verify depth*/
>> >ldap_set_tls_verify_depth (unsigned int verify_depth);
>> >
>> >/*To set the CA cert*/
>> >ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);
>> >
>> >/*To set the client cert*/
>> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
>> unsigned int len);
>> >
>> >/*To set the client cert key*/
>> >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey,
>> unsigned int len);
>> >
>> >I have changed two files "include/ldap.h" and
>> "libraries/libldap/tls.c" to
>> >accommodate these features and I have uploaded these changes
>> as a tar ball (this
>> >tar ball has 2 patches, one for ldap.h and other one for tls.c) onto
>> >"ftp://ftp.openldap.org/incoming/";. The tar ball name is
>> >"prashant-kumar-openldap-031014.tgz"
>> >
>> >
>> >Thank you,
>> >Prashant Kumar