[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)



> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> How about we change the code so that when the program did
> a ldap_get_option( ld, TLS_CTX ) would cause, if done before
> the first starttls request, early creation of the context
> handle?

That seems a bit bad to have such a side-effect on a ldap_get_option call.

How about we add a ld->ld_def_tls_ctx, which is set by ldap_set_option. When
ld->ld_defconn is created, it will use ld_def_tls_ctx if it was set,
otherwise it behaves as before.

On ldap_set_option, if the ld->ld_defconn exists, its lconn_tls_ctx is set at
the same time.

> Kurt
>
> At 01:28 PM 10/14/2003, Howard Chu wrote:
> >I believe a related issue was recently raised on the
> -software list; the
> >ldap_set_option  TLS_CTX doesn't work on a fresh LDAP*
> because ld->ld_defconn
> >doesn't get created until an actual request is made that
> needs a connection.
> >The ld_defconn then gets used right away, without giving an
> opportunity to
> >reconfigure it. So you can't override things on a
> per-session basis, you must
> >override the global tls_def_ctx.
> >
> >Given that we have this unusable ldap_set_option function at
> the moment, we
> >can either remove it or make it work by adding a ld_tls_ctx
> pointer to the
> >LDAP*, so it can be set before the ld_defconn is created.
> But this creates an
> >ambiguity in the ldap_get_option side... What next?
> >
> >  -- Howard Chu
> >  Chief Architect, Symas Corp.       Director, Highland Sun
> >  http://www.symas.com               http://highlandsun.com/hyc
> >  Symas: Premier OpenSource Development and Support
> >
> >> -----Original Message-----
> >> From: owner-openldap-bugs@OpenLDAP.org
> >> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> >> Kurt@OpenLDAP.org
> >> Sent: Tuesday, October 14, 2003 12:06 PM
> >> To: openldap-its@OpenLDAP.org
> >> Subject: Re: Flexibility to use customized "verify_callback"
> >> while using
> >> OpenLdap with TLS (ITS#2767)
> >>
> >>
> >> A couple of quick comments (without really look at your tls.c
> >> patch... I'll leave most of that to others who are more familiar
> >> with that code).
> >>
> >> Setting of options should be done through the
> ldap_set_option(3) API.
> >> Likely should support global and per-session callbacks.
> >> ldap_set_option(3)
> >> supports both.  Also, we shouldn't provide options for things which
> >> can be managed through the TLS_CTX option.  That is, -lldap should
> >> avoid knowing too much about OpenSSL and/or TLS details.
> >>
> >> Lastly, no file in the tarball include a notice  See
> >> <http://www.openldap.org/devel/contributing.html> for guidelines.
> >> I suggest you provide a notice in a separate COPYRIGHT file.
> >>
> >> Kurt
> >>
> >>
> >> At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
> >> >Full_Name: Prashant Kumar.
> >> >Version: 2.1.22 (20030709)
> >> >OS: Linux
> >> >URL: ftp://ftp.openldap.org/incoming/
> >> >Submission from: (NULL) (47.234.0.52)
> >> >
> >> >
> >> >Right now, while using OpenLdap with TLS/SSL, there are no
> >> API's to specify user
> >> >customized "verify_callback" and "verify_depth". Also, there
> >> are no API's to
> >> >input the CA cert, client cert and client cert key onto the
> >> SSL context in the
> >> >binary (DER) format (right now, OpenLdap reads all these
> >> info from PEM files
> >> >whose path is specified in the "ldap.conf").
> >> >
> >> >This enhancement adds following API's to OpenLdap library
> >> which will allow the
> >> >user to do all the above things:
> >> >
> >> >/*To set the verify callback*/
> >> >ldap_set_tls_verify_callback (
> >> >      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));
> >> >
> >> >/*To set the verify depth*/
> >> >ldap_set_tls_verify_depth (unsigned int verify_depth);
> >> >
> >> >/*To set the CA cert*/
> >> >ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);
> >> >
> >> >/*To set the client cert*/
> >> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
> >> unsigned int len);
> >> >
> >> >/*To set the client cert key*/
> >> >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey,
> >> unsigned int len);
> >> >
> >> >I have changed two files "include/ldap.h" and
> >> "libraries/libldap/tls.c" to
> >> >accommodate these features and I have uploaded these changes
> >> as a tar ball (this
> >> >tar ball has 2 patches, one for ldap.h and other one for
> tls.c) onto
> >> >"ftp://ftp.openldap.org/incoming/";. The tar ball name is
> >> >"prashant-kumar-openldap-031014.tgz"
> >> >
> >> >
> >> >Thank you,
> >> >Prashant Kumar
> >>
> >>
> >>
>
>