[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL some questions...



At 01:10 PM 2001-08-29, Geert Van Muylem wrote:
>I've some questions about the TLS/SSL protocol...

I'm not a LDAP/TLS expert, but I'll take a stab at it.
(I use mostly use SASL mechanism provided confidentiality
protections)


>- what does the API ldap_start_tls_s()?

The call issues an LDAP Start TLS [RFC 2830] extended operation
and, if success is returned by the server, proceeds with a
TLS handshake.

>Does it just start the handshaking?
>Does it ask the LDAP Server for its certificate?

Yes.

>Don't you need the issuer
>certif
>at the client side to be able to verify it or does it always simply accept
>the issuer?

I believe it simply accepts the issuer unless CAs have
been provided (via ldap.conf(5) [undocumented features, sorry]).

>- how can i avoid that the api asks for the pass phrase of the secret key?

Don't encrypt the secret key.

>   /* CLIENTS CERTS AND KEYS */
>   rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
>"C:\\LDAP\\cl1_crt.pem");
>   if ( rc != LDAP_SUCCESS )
>   {
>   }
>   rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
>"C:\\LDAP\\cl1_sk.pem");
>   if ( rc != LDAP_SUCCESS )
>   {
>   }
>
>- Does anyone has a good description of the protocol?

RFC 2830.