[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL Question: Is Everyone Ignorant or Just Non-responsive

In rev 1.26 of libldap/tls.c I had added a function
ldap_pvt_tls_get_handle() which would return the (SSL *) from a given (LDAP
*) but apparently this function is now
gone. The only other option for getting hold of the (SSL *) with the current
is something like this (error checks omitted):

	LDAP *ld;
	SSL_CTX ctx;
	int result;

	result=ldap_initialize(&ld, "ldaps://foo.com:9876");
	result=ldap_get_option(ld, LDAP_OPT_X_TLS_CTX, &ctx);
	SSL_CTX_set_info_callback(ctx, myinfo_cb);

your info callback function will be called like so:

static void myinfo_cb(SSL *ssl, int where, int ret)

You can stuff the SSL handle somewhere, or just process it with the usual
SSL_get_peer_certificate(ssl) call.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Matt
> Sent: Wednesday, August 15, 2001 11:37 AM
> To: openldap-software@OpenLDAP.org
> Subject: Re: SSL Question: Is Everyone Ignorant or Just Non-responsive
> Hi John,
> 	I think I am trying to do the same type of thing that you are
> trying to do.  I want my application to be able to access the certificate
> of the LDAP server (over ldaps:// or TLS, I dont particularly care which),
> and I have been working on other things for the last little while.
> 	In a post from Kurt Zeilanga, he noted that the openssl s_client
> program could read the certificate information from a ldap server running
> on ldaps:// .  This works for me - I can see my certificate and presumably
> if I looked at what the openssl s_client was doing on this and wrote
> something like this in my application then I should be able to get it
> working. I haven't done this yet, but I plan to .  It would be nice if ?I
> could figure out how to get this working over TLS that would be even
> nicer, but right now it doesnt look to possible.
> 	The ldap library doesn't seem to provide any nice way to access
> the LDAP server certificate, which is a pain for me, but I guess that it
> isn't a common thing to do.
> 	I would love to hear any tips you receive or have come up with.
> Thanks
> Matt Maynard
> 4B Computer Science University of Waterloo