[Date Prev][Date Next]
Re: 3rd try : Bug ? ldap_start_tls_s successful even after removing ca certificate from ca cert dir
On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
> On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR <firstname.lastname@example.org> wrote:
> > link to question on stackoverflow
> > I'm having trouble verifying the correct behavior of my software. Here
> > are the steps I am performing to verify correct operation:
> > 1. I have sample code that uses openldap library and doing a start tls
> > to a ldap server.
> > 2. I have set the global option for ca cert directory and tlx context
> > for the first time.
> > 3. After that I did ldap init and ldap start tls to a server. This is
> > succesful as expected.
> > 4. I did an ldap_unbind_s
> > 5. I deleted the CA cert that signed the ldap server's certificate
> > from the ca cert directory of the client.
> > 6. Again did ldap_init and ldap_start_tls_s .
> > 7. I expected this call to fail , as I have removed the ca cert. But
> > what I observe is that , server sends the certificate but start_tls is
> > returning success.
If you feel this behavior is not described from the ldap_tls(3) and
ldap_get_option(3) manpages, then you should file an ITS asking that those
manpages be clarified.
As is, the only documented sure way to completely reset the SSL state is
to restart the process.
> > ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
You used this option here, but not later? If you don't know what this
option does, why did you call it?