[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)



> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> >How about we add a ld->ld_def_tls_ctx, which is set by ldap_set_option.
When
> >ld->ld_defconn is created, it will use ld_def_tls_ctx if it was set,
> >otherwise it behaves as before.
>
> This allows one to install a context, but it doesn't seem to
> allow one to modify the context created by the library before
> use by the library.

Well, if they need to do that they just have to be explicit about it:
	ldap_pvt_tls_init();
	ldap_pvt_tls_init_def_ctx();
	ldap_get_option(NULL, TLS_CTX, &ctx);
will retrieve the global tls_def_ctx, which can then be munged directly using
the
OpenSSL API.

That should already work in the current code...

> >On ldap_set_option, if the ld->ld_defconn exists, its
> lconn_tls_ctx is set at
> >the same time.
> >
> >> Kurt
> >>
> >> At 01:28 PM 10/14/2003, Howard Chu wrote:
> >> >I believe a related issue was recently raised on the
> >> -software list; the
> >> >ldap_set_option  TLS_CTX doesn't work on a fresh LDAP*
> >> because ld->ld_defconn
> >> >doesn't get created until an actual request is made that
> >> needs a connection.
> >> >The ld_defconn then gets used right away, without giving an
> >> opportunity to
> >> >reconfigure it. So you can't override things on a
> >> per-session basis, you must
> >> >override the global tls_def_ctx.
> >> >
> >> >Given that we have this unusable ldap_set_option function at
> >> the moment, we
> >> >can either remove it or make it work by adding a ld_tls_ctx
> >> pointer to the
> >> >LDAP*, so it can be set before the ld_defconn is created.
> >> But this creates an
> >> >ambiguity in the ldap_get_option side... What next?
> >> >
> >> >  -- Howard Chu
> >> >  Chief Architect, Symas Corp.       Director, Highland Sun
> >> >  http://www.symas.com               http://highlandsun.com/hyc
> >> >  Symas: Premier OpenSource Development and Support
> >> >
> >> >> -----Original Message-----
> >> >> From: owner-openldap-bugs@OpenLDAP.org
> >> >> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> >> >> Kurt@OpenLDAP.org
> >> >> Sent: Tuesday, October 14, 2003 12:06 PM
> >> >> To: openldap-its@OpenLDAP.org
> >> >> Subject: Re: Flexibility to use customized "verify_callback"
> >> >> while using
> >> >> OpenLdap with TLS (ITS#2767)
> >> >>
> >> >>
> >> >> A couple of quick comments (without really look at your tls.c
> >> >> patch... I'll leave most of that to others who are more familiar
> >> >> with that code).
> >> >>
> >> >> Setting of options should be done through the
> >> ldap_set_option(3) API.
> >> >> Likely should support global and per-session callbacks.
> >> >> ldap_set_option(3)
> >> >> supports both.  Also, we shouldn't provide options for
> things which
> >> >> can be managed through the TLS_CTX option.  That is,
> -lldap should
> >> >> avoid knowing too much about OpenSSL and/or TLS details.
> >> >>
> >> >> Lastly, no file in the tarball include a notice  See
> >> >> <http://www.openldap.org/devel/contributing.html> for
> guidelines.
> >> >> I suggest you provide a notice in a separate COPYRIGHT file.
> >> >>
> >> >> Kurt
> >> >>
> >> >>
> >> >> At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
> >> >> >Full_Name: Prashant Kumar.
> >> >> >Version: 2.1.22 (20030709)
> >> >> >OS: Linux
> >> >> >URL: ftp://ftp.openldap.org/incoming/
> >> >> >Submission from: (NULL) (47.234.0.52)
> >> >> >
> >> >> >
> >> >> >Right now, while using OpenLdap with TLS/SSL, there are no
> >> >> API's to specify user
> >> >> >customized "verify_callback" and "verify_depth". Also, there
> >> >> are no API's to
> >> >> >input the CA cert, client cert and client cert key onto the
> >> >> SSL context in the
> >> >> >binary (DER) format (right now, OpenLdap reads all these
> >> >> info from PEM files
> >> >> >whose path is specified in the "ldap.conf").
> >> >> >
> >> >> >This enhancement adds following API's to OpenLdap library
> >> >> which will allow the
> >> >> >user to do all the above things:
> >> >> >
> >> >> >/*To set the verify callback*/
> >> >> >ldap_set_tls_verify_callback (
> >> >> >      int (*tls_verify_callback)(int, struct
> x509_store_ctx_s *));
> >> >> >
> >> >> >/*To set the verify depth*/
> >> >> >ldap_set_tls_verify_depth (unsigned int verify_depth);
> >> >> >
> >> >> >/*To set the CA cert*/
> >> >> >ldap_set_tls_cacert_bin (unsigned char
> *caCert,unsigned int len);
> >> >> >
> >> >> >/*To set the client cert*/
> >> >> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
> >> >> unsigned int len);
> >> >> >
> >> >> >/*To set the client cert key*/
> >> >> >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey,
> >> >> unsigned int len);
> >> >> >
> >> >> >I have changed two files "include/ldap.h" and
> >> >> "libraries/libldap/tls.c" to
> >> >> >accommodate these features and I have uploaded these changes
> >> >> as a tar ball (this
> >> >> >tar ball has 2 patches, one for ldap.h and other one for
> >> tls.c) onto
> >> >> >"ftp://ftp.openldap.org/incoming/";. The tar ball name is
> >> >> >"prashant-kumar-openldap-031014.tgz"
> >> >> >
> >> >> >
> >> >> >Thank you,
> >> >> >Prashant Kumar
> >> >>
> >> >>
> >> >>
> >>
> >>
>
>