[Date Prev][Date Next]
Ignacio Coupeau wrote:
> Michael Ströder wrote:
> > Where can I find docs about the exact semantics of the
> > SSL/TLS-related constants defined in ldap.h and their proper use
> > with StartTLS or LDAP over SSL?
> > /* OpenLDAP TLS options */
> > #define LDAP_OPT_X_TLS 0x6000
> > #define LDAP_OPT_X_TLS_CTX 0x6001 /* SSL CTX
> This may help:
Thanks for your reply but it does not answer my question since it
rather describes how to get started.
I already have everything working with StartTLS or LDAP/SSL (LDAPS)
either against OpenLDAP REL_ENG_2 and iPlanet server. That's not my
problem. But I want it to be really sure about doing proper
certificate validation. I can see in the trace log that e.g. the
cert chain seems to be validated if I set LDAP_OPT_X_TLS_CACERTFILE
(or LDAP_OPT_X_TLS_CACERTDIR). But I'm currently not able to really
determine the exact behaviour if validating of the chain fails.
Therefore I need to know what the exact semantics of the following
constants are. This time I only listed the ones not clear to me.
#define LDAP_OPT_X_TLS 0x6000
#define LDAP_OPT_X_TLS_REQUIRE_CERT 0x6006
/* #define LDAP_OPT_X_TLS_PROTOCOL 0x6007 */
#define LDAP_OPT_X_TLS_CIPHER_SUITE 0x6008
Especially it's not clear what these constants below mean. They seem
to define which kind of level of security is acceptable if cert
validation (partially) fails.
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
#define LDAP_OPT_X_TLS_DEMAND 2
#define LDAP_OPT_X_TLS_ALLOW 3
#define LDAP_OPT_X_TLS_TRY 4
Again: I'm asking for *exact* semantics not just what they probably