link to question on stackoverflow
<http://stackoverflow.com/questions/25457034/starttls-succesful-even-after-deleting-ca-from-the-ca-dir>
I'm having trouble verifying the correct behavior of my software. Here are
the steps I am performing to verify correct operation:
1. I have sample code that uses openldap library and doing a start tls
to a ldap server.
2. I have set the global option for ca cert directory and tlx context
for the first time.
3. After that I did ldap init and ldap start tls to a server. This is
succesful as expected.
4. I did an ldap_unbind_s
5. I deleted the CA cert that signed the ldap server's certificate from
the ca cert directory of the client.
6. Again did ldap_init and ldap_start_tls_s .
7. I expected this call to fail , as I have removed the ca cert. But
what I observe is that , server sends the certificate but start_tls is
returning success.
I am using openldap 2.4 with libssl.0.9.8
LDAP *ld;int desired_version=3;
if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) {
printf("ldap_init failed\n");
exit(0);}
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>");
if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed.\n");
exit(0);}
...... <do bind and search>...
ldap_unbind_s(ld); ...
// DELETE the CA certificate from the ca dir. // Try to do start tls again
if ((ld = ldap_init(hostname, server_port)) == NULL ) {
printf("ldap_init failed , after deleting CA\n");
exit(0);}
// This goes fine even after deleting the CAif (ldap_start_tls_s(ld,
NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed after deleting CA.\n");
exit(0);}
--
Thanks&Regards,
SomaSekhar.
