[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: TLS/SSL some questions...



Do you still need, for security reasons, a SASL mechanism
even if you configure the server in that way that it asks for
the clients' certificate (with TLSVerifyClient in slapd.conf)? The client
has
to send a certificate issued by a CA trusted by the server...(and signed
with its secret key)

Can you link the client's certificate (or the DN) with an access control
list?
Where can I find an overview of all SASL mechanisms?

Regards,

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: woensdag 29 augustus 2001 23:41
To: Geert.Van.Muylem@skynet.be
Cc: LDAP Mailing List
Subject: Re: TLS/SSL some questions...


At 01:10 PM 2001-08-29, Geert Van Muylem wrote:
>I've some questions about the TLS/SSL protocol...

I'm not a LDAP/TLS expert, but I'll take a stab at it.
(I use mostly use SASL mechanism provided confidentiality
protections)


>- what does the API ldap_start_tls_s()?

The call issues an LDAP Start TLS [RFC 2830] extended operation
and, if success is returned by the server, proceeds with a
TLS handshake.

>Does it just start the handshaking?
>Does it ask the LDAP Server for its certificate?

Yes.

>Don't you need the issuer
>certif
>at the client side to be able to verify it or does it always simply accept
>the issuer?

I believe it simply accepts the issuer unless CAs have
been provided (via ldap.conf(5) [undocumented features, sorry]).

>- how can i avoid that the api asks for the pass phrase of the secret key?

Don't encrypt the secret key.

>   /* CLIENTS CERTS AND KEYS */
>   rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
>"C:\\LDAP\\cl1_crt.pem");
>   if ( rc != LDAP_SUCCESS )
>   {
>   }
>   rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
>"C:\\LDAP\\cl1_sk.pem");
>   if ( rc != LDAP_SUCCESS )
>   {
>   }
>
>- Does anyone has a good description of the protocol?

RFC 2830.