Hi Quanah, No, I'm fairly new to OpenLDAP and wasn't aware of such global context requirement.
Does that only apply to client TLS options? Is global option set by passing a NULL LDAP handle? I found ITS#8573 wrt your TLS patch, but the URL: <http://www.openldap.org/lists/openldap-devel/attachments/20170608/2ae39d03/attachment.bin> is not found. Can you point me to where to download or see the patch? Has it been integrated into 2.4.45? Daniel -----Original Message----- From: Quanah Gibson-Mount [mailto:[email protected]] Sent: Friday, June 23, 2017 4:37 PM To: Daniel Le <[email protected]>; '[email protected]' <[email protected]> Subject: RE: Using TLS Hi Daniel, You are aware that you must use the global context when changing the TLS options for a client, correct? It does not work on the specific filehandle. See my TLS patch for the command line client tools for an example (that is posted to the openldap-devel list). --Quanah --On Friday, June 23, 2017 9:20 PM +0000 Daniel Le <[email protected]> wrote: > Hello, > > Is there a unit tester where the client LDAP_OPT_X_TLS_REQUIRE_CERT > option is set to LDAP_OPT_X_TLS_NEVER that I can try? I was looking at > openldap-2.4.44/clients/tools/ldapsearch but it doesn't configure this > option. > > My application program sets LDAP_OPT_X_TLS_NEVER. Why does LDAP client > still check for server certificate which fails in the case of bad > certificate? > > int opt; > opt = LDAP_OPT_X_TLS_NEVER; > ldap_retcode = ldap_set_option(m_tLDAP, LDAP_OPT_X_TLS_REQUIRE_CERT, > &opt); ... > > Daniel > > -----Original Message----- > From: Daniel Le > Sent: Monday, June 19, 2017 3:58 PM > To: 'Paulm' <[email protected]> > Cc: [email protected] > Subject: RE: Using TLS > > I rebuilt with libssl (an OpenSSL library which supports SSL and TLS) > and that worked. Thanks. > > However, I got into the connect error "14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self > signed certificate)", even though the LDAP_OPT_X_TLS_REQUIRE_CERT > option is set to LDAP_OPT_X_TLS_NEVER. Isn't LDAP client supposed to > bypass server certificate validation when LDAP_OPT_X_TLS_NEVER is configured? > > Daniel > > -----Original Message----- > From: Paulm [mailto:[email protected]] > Sent: Sunday, June 18, 2017 10:13 PM > > On Fri, Jun 16, 2017 at 03:26:20PM +0000, Daniel Le wrote: >> Hi, >> >> >> I'm seeing some critical error which causes the application program to >> exit/terminate when ldap_start_tls_s(LDAP-handle, NULL, NULL) is >> called. Tracing the code execution, ldap_start_tls_s => >> ldap_int_tls_start => tls_init, it appears the crash is at the >> statement "return impl->ti_tls_init()" in the tls_init function. >> >> >> Can someone give a pointer to help debugging this? And does OpenLDAP >> need to be linked to OpenSSL library for TLS to work? > > If your ldap libs are linked to gnutls, then it might be worthwhile to > rebuild and link to the openssl library; then test your code again. > > I don't use gnutls because it has given me problems. > >> I use LDAPv3, port 389 and the default LDAP_OPT_X_TLS_NEVER option. >> HAVE_TLS is defined but not LDAP_R_COMPILE. >> >> >> Thanks, >> >> Daniel > -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
