Re: TLS Info?

[Howard Chu <hyc@symas.com>]

Eric Nichols wrote:
> Jittinan Suwanrueangsri wrote:
> > Eric Nichols wrote:
> > > I have not been able to figure out how to dump more info on the
> > > encryption levels, certificate CN&  expiration date etc.  Should this
> > > be done through the openssl functions?  If so, what do I hook them to?
> > Have you try with "slapd -d trace" option ?
> >
> > you can get more description of each debugging level from "man slapd.conf"
>
> I'm more interested in the lib calls.  I'm trying to write a program to
> pull this information when I connect to an LDAP server over SSL.
There are no public APIs for retrieving this info. You can retrieve the SSL 
session handle from the LDAP* handle using

	SSL *s;
	ldap_get_option( ld, LDAP_OPT_X_TLS_SSL_CTX, &s );

You can get the encryption level using
	ldap_pvt_tls_get_strength( s );

You can get the DN of your certificate using
	struct berval dn;
	ldap_pvt_tls_get_my_dn( s, &dn, NULL, 0 );

You can get the DN of the peer certificate using
	ldap_pvt_tls_get_peer_dn( s, &dn, NULL, 0 );

Note that these functions are private to OpenLDAP's implementation, and are 
not specified in any API standard, and are subject to change without notice.

There is no libldap function for returning the cert expiration date; since the 
OpenSSL library already does cert validation checks we've never needed a 
function to pull this out on its own. To do anything else you'll have to use 
the OpenSSL functions directly.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/