[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Using TLS

To: 'Quanah Gibson-Mount' <quanah@symas.com>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: RE: Using TLS
From: Daniel Le <daniel.le@exfo.com>
Date: Mon, 26 Jun 2017 15:59:49 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <FD9368DAC419F60777EC3A78@[192.168.1.30]>
References: <BC204A77E2E9CD4A85A8F600C7F0BA848C1260D2@SPQCMBX02.exfo.com> <20170619021301.pctqj7egmqbg33oq@t500.tetrardus.net> <BC204A77E2E9CD4A85A8F600C7F0BA848C128B6C@SPQCMBX02.exfo.com> <BC204A77E2E9CD4A85A8F600C7F0BA848C12B2E6@SPQCMBX02.exfo.com> <WM!4b2f99c61a1f17344b2f78c4ad0a5975698ba977066cdddadb1c228c0759bde05ca95e73470db3b45f2479a0d79a9664!@mailstronghold-2.zmailcloud.com> <2BEE9DDEB748E3FA5964543A@[192.168.1.30]> <BC204A77E2E9CD4A85A8F600C7F0BA848C12B339@SPQCMBX02.exfo.com> <WM!5a16821900b8e192e19606b3f85b95d9079789d5369be265453d7d9dc053cfc23fd1e2bbe80737f17623a816580c4add!@mailstronghold-3.zmailcloud.com> <3F19B79EBB01CFDE1A4853CA@[192.168.1.30]> <BC204A77E2E9CD4A85A8F600C7F0BA848C12B34F@SPQCMBX02.exfo.com> <WM!7279bd12dc6c4d62277715ba877ba7023b193cdd2493e54c7ea99f3b227eafff7e242ecf6568044b6c31be496cc57808!@mailstronghold-1.zmailcloud.com> <FD9368DAC419F60777EC3A78@[192.168.1.30]>
Thread-index: AdLmtCFfOhBINSmnQBOu0gkfm+lV3wCDvk+AABx1aJAAygY3YAAA22W+AACiO9AAAKI4/gAAfdTAAADu8A0AilcCAA==
Thread-topic: Using TLS

Hi Quanah,

I did the following (and ensured return code was OK) but still got connect issue "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)". Can you tell me what else I'm missing? The client checks for server certificate even though it is configured to never do it.

int opt;
opt = LDAP_OPT_X_TLS_NEVER;
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt);

-And-

int new_ctx = 0;
ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &new_ctx);

Daniel

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Friday, June 23, 2017 5:54 PM
To: Daniel Le <daniel.le@exfo.com>; 'openldap-technical@openldap.org' <openldap-technical@openldap.org>
Subject: RE: Using TLS

--On Friday, June 23, 2017 10:31 PM +0000 Daniel Le <daniel.le@exfo.com>
wrote:

> Thanks Quanah.
>
> Using OpenLDAP API, is it correct to set client TLS option to -not- 
> validate server certificates as follows?
>
> int opt;
> opt = LDAP_OPT_X_TLS_NEVER;
> rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt);

You still have to reinitialize the global context, as in my commit, for the filehandle.  So you'd want these two lines to be following:

int new_ctx = 0;
rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &new_ctx)

etc.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- Re: Using TLS
  - From: Paulm <paulm@tetrardus.net>
- RE: Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- RE: Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- RE: Using TLS
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- RE: Using TLS
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- RE: Using TLS
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: RE: syncrepl fails after upgrade to openldap 2.4.45
Next by Date: RE: Using TLS
Index(es):
- Chronological
- Thread