[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Using TLS

To: 'Quanah Gibson-Mount' <quanah@symas.com>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: RE: Using TLS
From: Daniel Le <daniel.le@exfo.com>
Date: Fri, 23 Jun 2017 21:08:51 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <2BEE9DDEB748E3FA5964543A@[192.168.1.30]>
References: <BC204A77E2E9CD4A85A8F600C7F0BA848C1260D2@SPQCMBX02.exfo.com> <20170619021301.pctqj7egmqbg33oq@t500.tetrardus.net> <BC204A77E2E9CD4A85A8F600C7F0BA848C128B6C@SPQCMBX02.exfo.com> <BC204A77E2E9CD4A85A8F600C7F0BA848C12B2E6@SPQCMBX02.exfo.com> <WM!4b2f99c61a1f17344b2f78c4ad0a5975698ba977066cdddadb1c228c0759bde05ca95e73470db3b45f2479a0d79a9664!@mailstronghold-2.zmailcloud.com> <2BEE9DDEB748E3FA5964543A@[192.168.1.30]>
Thread-index: AdLmtCFfOhBINSmnQBOu0gkfm+lV3wCDvk+AABx1aJAAygY3YAAA22W+AACiO9A=
Thread-topic: Using TLS

Hi Quanah,

No, I'm fairly new to OpenLDAP and wasn't aware of such global context requirement. 

Does that only apply to client TLS options?

Is global option set by passing a NULL LDAP handle?

I found ITS#8573 wrt your TLS patch, but the URL: <http://www.openldap.org/lists/openldap-devel/attachments/20170608/2ae39d03/attachment.bin> is not found. Can you point me to where to download or see the patch? Has it been integrated into 2.4.45?

Daniel

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Friday, June 23, 2017 4:37 PM
To: Daniel Le <daniel.le@exfo.com>; 'openldap-technical@openldap.org' <openldap-technical@openldap.org>
Subject: RE: Using TLS

Hi Daniel,

You are aware that you must use the global context when changing the TLS options for a client, correct?  It does not work on the specific filehandle.  See my TLS patch for the command line client tools for an example (that is posted to the openldap-devel list).

--Quanah

--On Friday, June 23, 2017 9:20 PM +0000 Daniel Le <daniel.le@exfo.com>
wrote:

> Hello,
>
> Is there a unit tester where the client LDAP_OPT_X_TLS_REQUIRE_CERT 
> option is set to LDAP_OPT_X_TLS_NEVER that I can try? I was looking at 
> openldap-2.4.44/clients/tools/ldapsearch but it doesn't configure this 
> option.
>
> My application program sets LDAP_OPT_X_TLS_NEVER. Why does LDAP client 
> still check for server certificate which fails in the case of bad 
> certificate?
>
>     int opt;
>     opt = LDAP_OPT_X_TLS_NEVER;
>     ldap_retcode = ldap_set_option(m_tLDAP, LDAP_OPT_X_TLS_REQUIRE_CERT,
> &opt);     ...
>
> Daniel
>
> -----Original Message-----
> From: Daniel Le
> Sent: Monday, June 19, 2017 3:58 PM
> To: 'Paulm' <paulm@tetrardus.net>
> Cc: openldap-technical@openldap.org
> Subject: RE: Using TLS
>
> I rebuilt with libssl (an OpenSSL library which supports SSL and TLS) 
> and that worked. Thanks.
>
> However, I got into the connect error "14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self 
> signed certificate)", even though the LDAP_OPT_X_TLS_REQUIRE_CERT 
> option is set to LDAP_OPT_X_TLS_NEVER. Isn't LDAP client supposed to 
> bypass server certificate validation when LDAP_OPT_X_TLS_NEVER is configured?
>
> Daniel
>
> -----Original Message-----
> From: Paulm [mailto:paulm@tetrardus.net]
> Sent: Sunday, June 18, 2017 10:13 PM
>
> On Fri, Jun 16, 2017 at 03:26:20PM +0000, Daniel Le wrote:
>>    Hi,
>>
>>
>>    I'm seeing some critical error which causes the application program to
>>    exit/terminate when ldap_start_tls_s(LDAP-handle, NULL, NULL) is
>>    called. Tracing the code execution, ldap_start_tls_s =>
>>    ldap_int_tls_start => tls_init, it appears the crash is at the
>>    statement "return impl->ti_tls_init()" in the tls_init function.
>>
>>
>>    Can someone give a pointer to help debugging this? And does OpenLDAP
>>    need to be linked to OpenSSL library for TLS to work?
>
> If your ldap libs are linked to gnutls, then it might be worthwhile to 
> rebuild and link to the openssl library; then test your code again.
>
> I don't use gnutls because it has given me problems.
>
>>    I use LDAPv3, port 389 and the default LDAP_OPT_X_TLS_NEVER option.
>>    HAVE_TLS is defined but not LDAP_R_COMPILE.
>>
>>
>>    Thanks,
>>
>>    Daniel
>



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- Re: Using TLS
  - From: Paulm <paulm@tetrardus.net>
- RE: Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- RE: Using TLS
  - From: Daniel Le <daniel.le@exfo.com>
- RE: Using TLS
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: RE: Using TLS
Next by Date: RE: Using TLS
Index(es):
- Chronological
- Thread