On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR <[email protected]> wrote:
> link to question on stackoverflow > <http://stackoverflow.com/questions/25457034/starttls-succesful-even-after-deleting-ca-from-the-ca-dir> > > > I'm having trouble verifying the correct behavior of my software. Here are > the steps I am performing to verify correct operation: > > 1. I have sample code that uses openldap library and doing a start tls > to a ldap server. > 2. I have set the global option for ca cert directory and tlx context > for the first time. > 3. After that I did ldap init and ldap start tls to a server. This is > succesful as expected. > 4. I did an ldap_unbind_s > 5. I deleted the CA cert that signed the ldap server's certificate > from the ca cert directory of the client. > 6. Again did ldap_init and ldap_start_tls_s . > 7. I expected this call to fail , as I have removed the ca cert. But > what I observe is that , server sends the certificate but start_tls is > returning success. > > I am using openldap 2.4 with libssl.0.9.8 > > LDAP *ld;int desired_version=3; > if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) { > printf("ldap_init failed\n"); > exit(0);} > > ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version); > ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL); > ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>"); > if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){ > printf("start tls failed.\n"); > exit(0);} > ...... <do bind and search>... > > ldap_unbind_s(ld); ... > // DELETE the CA certificate from the ca dir. // Try to do start tls again > if ((ld = ldap_init(hostname, server_port)) == NULL ) { > printf("ldap_init failed , after deleting CA\n"); > exit(0);} > // This goes fine even after deleting the CAif (ldap_start_tls_s(ld, NULL, > NULL) != LDAP_SUCCESS){ > printf("start tls failed after deleting CA.\n"); > exit(0);} > > > -- > Thanks&Regards, > SomaSekhar. > > -- Thanks&Regards, SomaSekhar.
