Re: 3rd try : Bug ? ldap_start_tls_s successful even after removing ca certificate from ca cert dir

[Philip Guenther <pguenther@proofpoint.com>]

On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
> On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR <somasekhar44@gmail.com> wrote:
> > link to question on stackoverflow
...
> > I'm having trouble verifying the correct behavior of my software. Here 
> > are the steps I am performing to verify correct operation:
> >
> >    1. I have sample code that uses openldap library and doing a start tls
> >    to a ldap server.
> >    2. I have set the global option for ca cert directory and tlx context
> >    for the first time.
> >    3. After that I did ldap init and ldap start tls to a server. This is
> >    succesful as expected.
> >    4. I did an ldap_unbind_s
> >    5. I deleted the CA cert that signed the ldap server's certificate
> >    from the ca cert directory of the client.
> >    6. Again did ldap_init and ldap_start_tls_s .
> >    7. I expected this call to fail , as I have removed the ca cert. But
> >    what I observe is that , server sends the certificate but start_tls is
> >    returning success.

If you feel this behavior is not described from the ldap_tls(3) and 
ldap_get_option(3) manpages, then you should file an ITS asking that those 
manpages be clarified.

As is, the only documented sure way to completely reset the SSL state is 
to restart the process.


...
> > ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);

You used this option here, but not later?  If you don't know what this 
option does, why did you call it?


Philip