RE: Using TLS

Fri, 23 Jun 2017 13:21:49 -0700 

Hello,

Is there a unit tester where the client LDAP_OPT_X_TLS_REQUIRE_CERT option is 
set to LDAP_OPT_X_TLS_NEVER that I can try? I was looking at 
openldap-2.4.44/clients/tools/ldapsearch but it doesn't configure this option.

My application program sets LDAP_OPT_X_TLS_NEVER. Why does LDAP client still 
check for server certificate which fails in the case of bad certificate?

    int opt;
    opt = LDAP_OPT_X_TLS_NEVER;
    ldap_retcode = ldap_set_option(m_tLDAP, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt);
    ...

Daniel

-----Original Message-----
From: Daniel Le 
Sent: Monday, June 19, 2017 3:58 PM
To: 'Paulm' <pa...@tetrardus.net>
Cc: openldap-technical@openldap.org
Subject: RE: Using TLS

I rebuilt with libssl (an OpenSSL library which supports SSL and TLS) and that 
worked. Thanks.

However, I got into the connect error "14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed 
certificate)", even though the LDAP_OPT_X_TLS_REQUIRE_CERT option is set to 
LDAP_OPT_X_TLS_NEVER. Isn't LDAP client supposed to bypass server certificate 
validation when LDAP_OPT_X_TLS_NEVER is configured?

Daniel

-----Original Message-----
From: Paulm [mailto:pa...@tetrardus.net] 
Sent: Sunday, June 18, 2017 10:13 PM

On Fri, Jun 16, 2017 at 03:26:20PM +0000, Daniel Le wrote:
>    Hi,
> 
> 
>    I'm seeing some critical error which causes the application program to
>    exit/terminate when ldap_start_tls_s(LDAP-handle, NULL, NULL) is
>    called. Tracing the code execution, ldap_start_tls_s =>
>    ldap_int_tls_start => tls_init, it appears the crash is at the
>    statement "return impl->ti_tls_init()" in the tls_init function.
> 
> 
>    Can someone give a pointer to help debugging this? And does OpenLDAP
>    need to be linked to OpenSSL library for TLS to work?

If your ldap libs are linked to gnutls, then it might be worthwhile to rebuild 
and link to the openssl library; then test your code again.

I don't use gnutls because it has given me problems.

>    I use LDAPv3, port 389 and the default LDAP_OPT_X_TLS_NEVER option.
>    HAVE_TLS is defined but not LDAP_R_COMPILE.
> 
> 
>    Thanks,
> 
>    Daniel

Reply via email to