RE: ignore server cert verification.

[Abdul Basit <abasit@basit.cc>]

Oh i got it.

it should actually be

int i = LDAP_OPT_X_TLS_NEVER;

ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&i);

it seems to be working now.

thanks Gary,

Basit


On Thu, 3 Mar 2005, Tay, Gary wrote:

> Pls let the list know the version of OpenLDAP, and OS platform, so that
> the list folks can further assist you.
>
> TLS support is only available since OL 2.1.X, not 2.0.X
>
> Gary
>
> -----Original Message-----
> From: Abdul Basit [mailto:abasit@basit.cc]
> Sent: Friday, March 04, 2005 9:56 AM
> To: Tay, Gary
> Cc: openldap-software@openldap.org
> Subject: RE: ignore server cert verification.
>
>
>
> Hello,
>
> infact i did that.
>
>    int i = ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,"never");
>
>    printf("i = %d\n", i);
>
> [abasit@client ldap_ssl_client]$ ./ldap_ssl_client
> i = -1
> simple bind:: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> [abasit@client ldap_ssl_client]$ vi ldap_ssl_client.c
>
>
> its returning -1 :(...
>
> thanks
> basit
>
>
> On Thu, 3 Mar 2005, Tay, Gary wrote:
>
> > "man -M $MANPATH_FOR_OPENLDAP ldap.conf", read "TLS_REQUEST", I guess
> > the LDAP API should have the corresponding one.
> >
> > Gary
> >
> > -----Original Message-----
> > From: Abdul Basit [mailto:abasit@basit.cc]
> > Sent: Friday, March 04, 2005 9:37 AM
> > To: Tay, Gary
> > Cc: openldap-software@openldap.org
> > Subject: RE: ignore server cert verification.
> >
> >
> >
> > Right, but is there a way to ignore server CA verification
> > in ldap API? by default openssl does not verify it.
> > is it LDAP that's bailing out?
> >
> > thanks
> > basit
> >
> >
> > On Thu, 3 Mar 2005, Tay, Gary wrote:
> >
> > > I think Verisign shld send u an "intermediate trust CA cert" or
> > > something like that to help u add it to CA list and then yr test cert
>
> > > can be recognized.
> > >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Abdul
> > > Basit
> > > Sent: Friday, March 04, 2005 7:25 AM
> > > To: openldap-software@OpenLDAP.org
> > > Subject: ignore server cert verification.
> > >
> > >
> > >
> > > Hello,
> > >
> > >  my slapd is using a test certificate from verisign, and is not
> > > available in trusted CA file that the client is using, therefore i am
>
> > > getting this inside my client code.
> > >
> > > SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > >
> > >  Can anyone please tell me how can i ignore server cert verification?
> > >
> > > Thanks
> > > Basit