Re: way to validate server certificate

[Dieter Klünter <dieter@dkluenter.de>]

Am Mon, 22 Sep 2014 17:51:02 +0000
schrieb Bin Lu <blu@paloaltonetworks.com>:

> Hi Howard,
> 
> The RFCs specify the protocol, but not all releases implement the
> full protocol. 
> 
> I briefly went through the openLdap APIs but could not find the APIs
> to do server id check.  LDAP_OPT_X_TLS_CACERTFILE and
> LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I
> don't see how it does the hostname matching. 
> 
> If would be helpful if somebody could point me the actual API(s) that
> does this.

That depends on the included TLS library, for openSSL you might want to
read
https://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS


-Dieter

> 
> Thanks,
> 
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com] 
> Sent: Friday, September 19, 2014 8:10 PM
> To: Bin Lu; openldap-technical@openldap.org
> Subject: Re: way to validate server certificate
> 
> Bin Lu wrote:
> > Hi,
> >
> > Does openldap provide APIs to do server certificate validation? Can
> > I retrieve the server cert from LDAP connection and do the
> > validation myself or by passing the trusted CA list openldap will
> > do it (in this case, how the hostname matching with the subject DN
> > is performed)?
> 
> OpenLDAP libldap does server certificate validation according to
> RFC2830 and 4513. It would be a mistake to duplicate that
> functionality and do the validation yourself.
> >
> > Thanks a lot in advance,
> >
> > -blu
> >
> 
> 



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E