Hi Philip ,
Thanks for the quick response. As far as I know , LDAP_OPT_X_TLS_CTX will
set the SSL_CTX pointer. I tried to set this opition to NULL before I did a
start tls for the second time. I observed process crash at this time .
. From what you are saying , I understood that SSL_CTX had conext from
which the ca cert is verified for the second time. Please correct me if I
am wrong
On Thu, Aug 28, 2014 at 12:14 PM, Philip Guenther <[email protected]>
wrote:
> On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
> > On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR <[email protected]>
> wrote:
> > > link to question on stackoverflow
> ...
> > > I'm having trouble verifying the correct behavior of my software. Here
> > > are the steps I am performing to verify correct operation:
> > >
> > > 1. I have sample code that uses openldap library and doing a start
> tls
> > > to a ldap server.
> > > 2. I have set the global option for ca cert directory and tlx
> context
> > > for the first time.
> > > 3. After that I did ldap init and ldap start tls to a server. This
> is
> > > succesful as expected.
> > > 4. I did an ldap_unbind_s
> > > 5. I deleted the CA cert that signed the ldap server's certificate
> > > from the ca cert directory of the client.
> > > 6. Again did ldap_init and ldap_start_tls_s .
> > > 7. I expected this call to fail , as I have removed the ca cert. But
> > > what I observe is that , server sends the certificate but start_tls
> is
> > > returning success.
>
> If you feel this behavior is not described from the ldap_tls(3) and
> ldap_get_option(3) manpages, then you should file an ITS asking that those
> manpages be clarified.
>
> As is, the only documented sure way to completely reset the SSL state is
> to restart the process.
>
>
> ...
> > > ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
>
> You used this option here, but not later? If you don't know what this
> option does, why did you call it?
>
>
> Philip
>
--
Thanks&Regards,
SomaSekhar.
