Am Mon, 22 Sep 2014 17:51:02 +0000 schrieb Bin Lu <[email protected]>:
> Hi Howard, > > The RFCs specify the protocol, but not all releases implement the > full protocol. > > I briefly went through the openLdap APIs but could not find the APIs > to do server id check. LDAP_OPT_X_TLS_CACERTFILE and > LDAP_OPT_X_TLS_CACERTDIR seem to be for server cert validation, but I > don't see how it does the hostname matching. > > If would be helpful if somebody could point me the actual API(s) that > does this. That depends on the included TLS library, for openSSL you might want to read https://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS -Dieter > > Thanks, > > -----Original Message----- > From: Howard Chu [mailto:[email protected]] > Sent: Friday, September 19, 2014 8:10 PM > To: Bin Lu; [email protected] > Subject: Re: way to validate server certificate > > Bin Lu wrote: > > Hi, > > > > Does openldap provide APIs to do server certificate validation? Can > > I retrieve the server cert from LDAP connection and do the > > validation myself or by passing the trusted CA list openldap will > > do it (in this case, how the hostname matching with the subject DN > > is performed)? > > OpenLDAP libldap does server certificate validation according to > RFC2830 and 4513. It would be a mistake to duplicate that > functionality and do the validation yourself. > > > > Thanks a lot in advance, > > > > -blu > > > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
