On Tuesday 21 September 2010 03:17:48 ctosgh wrote: > Seems nobody run into this issue?? > > > > At 2010-09-20 10:02:10,ctosgh <[email protected]> wrote: > > Hi, folks > > I am using the APIs from openldap and recently run into a problem > which upset me. Following is the framework of the function. > ldaps_func() > { > LDAP* ld = NULL; > char * uri ="ldaps://xxx.xxx.xxx:636"; > ..... > ldap_set_option(...); //using LDAP v3 > ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman > ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to/tmp/ldapsCA/ If you really want the TLS context recreated with each iteration I think you can just call: ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON); after the above calls.
> ldap_initialize(&ld, uri); > ..... > ldap_simple_bind(.....); > ldap_search_ext(...); > ...... > ldap_unbind(ld); > ..... > return 0; > } > Above function is called in a while loop to authenticate users to a > LDAPS server when authentication request comes up. This function > works fine. BUT after one successful authentication, if I delete CA > certificates of server's certificate under /tmp/ldapsCA/, subsequent > authentications will STILL succeed. If restart this daemon, no > authentication will succeed, because CA certificates under > /tmp/ldapsCA/ has been deleted. Why I delete CA certificates under > /tmp/ldapsCA/? I just want to simulate "certificate change". Is the > openssl library cache someting?? > > Any one has any ideas about this? I will really appreciate it. Ralf
