[Date Prev][Date Next] [Chronological] [Thread] [Top]

cert options in ssl/tls connections



Hello All,

Today I came across a strange problem.

I wrote a program to test ldap ssl/tls connection with OpenLDAP library. Something like the code snippet as follows:

int ret = LDAP_OPT_SUCCESS;
int cert_flag = LDAP_OPT_X_TLS_NEVER;
...
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
    fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
    ldap_err2string(ret));
}
... // bind to the server

cert_flag = LDAP_OPT_X_TLS_DEMAND;
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
    fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
    ldap_err2string(ret));
}
... // bind to the server

The first binding is successful, as expected. However, the second binding is also successful, which is contrary to my expectation, because I didn't create any cert file yet.

Another observation here is that if the first binding with LDAP_OPT_X_TLS_NEVER is removed, and the second binding with LDAP_OPT_X_TLS_DEMAND set is done right from the beginning, then it will fail, as expected.

So, it seems the first value set to the option LDAP_OPT_X_TLS_REQUIRE_CERT will override the later values, isn't it? Is it possible to change this option's value on the fly (means different bindings use different values for this cert option)?

Thanks,
Qiang