O.K. I've done some more research and reread the original question. OP describes two LDAP clients, one of which accepts auth credentials "up front", asks if SSL should be used, and offers the LDAP server's cert for verification (likely before sendint auth credentials). The second "just works" with the installation of a client cert (at least there is no mention of an additional authentication step prompting for auth credentials).
I checked openldap and it, at least, supports the notion of binding to the LDAP server with the DN in the Subject of the client cert if configured to use client certs. A regexp mechanism is provided for mapping existing client cert Subject DNs to those the LDAP database already has. I THINK (but am not sure) that the openldap server can be configured to ask for a client cert, and if one is not provided, require usual authentication over the SSL link secured with the server cert alone, but if one IS provided, to try to use the DN in the Subject field to bind with. If that is true, you could conceivably store client certs in your LDAP DB, and deliver them to your users who initially authenticate without them. The flaw in that is that traditionally client certs are generated BY THE CLIENT to ensure that only the client has the private key, then sent for signing, and the signed cert returned to the client. I suppose one could generate the key and cert on the server, and bundle them for transmission to the user, but this is less secure from the user's perspective. -----Original Message----- From: owner-openssl-us...@openssl.org on behalf of Wim Lewis Sent: Mon 7/26/2010 1:51 PM To: openssl-users@openssl.org Subject: Re: Simple question about SSL certs On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote: > I would like to write an LDAP client that when a user connects to an LDAP > server with SSL, that the client cert is automatically downloaded to the > client. Then a prompt asks the client to accept or reject the cert. Is this > possible when using the OpenSSL C libraries? Do you mean the client cert (the certificate that the client has, which it uses to prove its identity to the server --- a relatively rare setup) or the server cert (the certificate that the server has, which it uses to prove its identity to the client --- a very common setup)? If the latter, I think what you want to do is set a verify callback on the SSL context using SSL_CTX_set_verify(). The callback will be given the opportunity to decide whether to trust a given certificate, which you can do by prompting the user if you like. Keep in mind that in the general case you actually have a whole chain of certificates to consider --- from the certificate authority (which, in the X.500 world, is what you actually trust) to the server (which you're actually talking to). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
