[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL some questions...

At 01:10 PM 2001-08-29, Geert Van Muylem wrote:
>I've some questions about the TLS/SSL protocol...

I'm not a LDAP/TLS expert, but I'll take a stab at it.
(I use mostly use SASL mechanism provided confidentiality

>- what does the API ldap_start_tls_s()?

The call issues an LDAP Start TLS [RFC 2830] extended operation
and, if success is returned by the server, proceeds with a
TLS handshake.

>Does it just start the handshaking?
>Does it ask the LDAP Server for its certificate?


>Don't you need the issuer
>at the client side to be able to verify it or does it always simply accept
>the issuer?

I believe it simply accepts the issuer unless CAs have
been provided (via ldap.conf(5) [undocumented features, sorry]).

>- how can i avoid that the api asks for the pass phrase of the secret key?

Don't encrypt the secret key.

>   rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
>   if ( rc != LDAP_SUCCESS )
>   {
>   }
>   rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
>   if ( rc != LDAP_SUCCESS )
>   {
>   }
>- Does anyone has a good description of the protocol?

RFC 2830.