[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)



At 02:06 PM 10/14/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>
>> How about we change the code so that when the program did
>> a ldap_get_option( ld, TLS_CTX ) would cause, if done before
>> the first starttls request, early creation of the context
>> handle?
>
>That seems a bit bad to have such a side-effect on a ldap_get_option call.

Well, I thought it better than creating the context at LDAP
handle creation time.

>How about we add a ld->ld_def_tls_ctx, which is set by ldap_set_option. When
>ld->ld_defconn is created, it will use ld_def_tls_ctx if it was set,
>otherwise it behaves as before.

This allows one to install a context, but it doesn't seem to
allow one to modify the context created by the library before
use by the library.

>On ldap_set_option, if the ld->ld_defconn exists, its lconn_tls_ctx is set at
>the same time.
>
>> Kurt
>>
>> At 01:28 PM 10/14/2003, Howard Chu wrote:
>> >I believe a related issue was recently raised on the
>> -software list; the
>> >ldap_set_option  TLS_CTX doesn't work on a fresh LDAP*
>> because ld->ld_defconn
>> >doesn't get created until an actual request is made that
>> needs a connection.
>> >The ld_defconn then gets used right away, without giving an
>> opportunity to
>> >reconfigure it. So you can't override things on a
>> per-session basis, you must
>> >override the global tls_def_ctx.
>> >
>> >Given that we have this unusable ldap_set_option function at
>> the moment, we
>> >can either remove it or make it work by adding a ld_tls_ctx
>> pointer to the
>> >LDAP*, so it can be set before the ld_defconn is created.
>> But this creates an
>> >ambiguity in the ldap_get_option side... What next?
>> >
>> >  -- Howard Chu
>> >  Chief Architect, Symas Corp.       Director, Highland Sun
>> >  http://www.symas.com               http://highlandsun.com/hyc
>> >  Symas: Premier OpenSource Development and Support
>> >
>> >> -----Original Message-----
>> >> From: owner-openldap-bugs@OpenLDAP.org
>> >> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
>> >> Kurt@OpenLDAP.org
>> >> Sent: Tuesday, October 14, 2003 12:06 PM
>> >> To: openldap-its@OpenLDAP.org
>> >> Subject: Re: Flexibility to use customized "verify_callback"
>> >> while using
>> >> OpenLdap with TLS (ITS#2767)
>> >>
>> >>
>> >> A couple of quick comments (without really look at your tls.c
>> >> patch... I'll leave most of that to others who are more familiar
>> >> with that code).
>> >>
>> >> Setting of options should be done through the
>> ldap_set_option(3) API.
>> >> Likely should support global and per-session callbacks.
>> >> ldap_set_option(3)
>> >> supports both.  Also, we shouldn't provide options for things which
>> >> can be managed through the TLS_CTX option.  That is, -lldap should
>> >> avoid knowing too much about OpenSSL and/or TLS details.
>> >>
>> >> Lastly, no file in the tarball include a notice  See
>> >> <http://www.openldap.org/devel/contributing.html> for guidelines.
>> >> I suggest you provide a notice in a separate COPYRIGHT file.
>> >>
>> >> Kurt
>> >>
>> >>
>> >> At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
>> >> >Full_Name: Prashant Kumar.
>> >> >Version: 2.1.22 (20030709)
>> >> >OS: Linux
>> >> >URL: ftp://ftp.openldap.org/incoming/
>> >> >Submission from: (NULL) (47.234.0.52)
>> >> >
>> >> >
>> >> >Right now, while using OpenLdap with TLS/SSL, there are no
>> >> API's to specify user
>> >> >customized "verify_callback" and "verify_depth". Also, there
>> >> are no API's to
>> >> >input the CA cert, client cert and client cert key onto the
>> >> SSL context in the
>> >> >binary (DER) format (right now, OpenLdap reads all these
>> >> info from PEM files
>> >> >whose path is specified in the "ldap.conf").
>> >> >
>> >> >This enhancement adds following API's to OpenLdap library
>> >> which will allow the
>> >> >user to do all the above things:
>> >> >
>> >> >/*To set the verify callback*/
>> >> >ldap_set_tls_verify_callback (
>> >> >      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));
>> >> >
>> >> >/*To set the verify depth*/
>> >> >ldap_set_tls_verify_depth (unsigned int verify_depth);
>> >> >
>> >> >/*To set the CA cert*/
>> >> >ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);
>> >> >
>> >> >/*To set the client cert*/
>> >> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
>> >> unsigned int len);
>> >> >
>> >> >/*To set the client cert key*/
>> >> >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey,
>> >> unsigned int len);
>> >> >
>> >> >I have changed two files "include/ldap.h" and
>> >> "libraries/libldap/tls.c" to
>> >> >accommodate these features and I have uploaded these changes
>> >> as a tar ball (this
>> >> >tar ball has 2 patches, one for ldap.h and other one for
>> tls.c) onto
>> >> >"ftp://ftp.openldap.org/incoming/";. The tar ball name is
>> >> >"prashant-kumar-openldap-031014.tgz"
>> >> >
>> >> >
>> >> >Thank you,
>> >> >Prashant Kumar
>> >>
>> >>
>> >>
>>
>>