Greetings.
Should I be able to discover the (default) locations of SSL certificates, via
the libldap library?
This can be useful when debugging why cert checks are failing -- where is the
library checking? (am I using the library I think I am...?!) Of course dtruss
and co can help here.
ldap_get_option with LDAP_OPT_X_TLS_CACERTDIR (and friends) looks like it
should say this, but when I explore that, it appears to show only settings
added with ldap_set_option, thus only settings overriding a default. And this
appears to be confirmed in libraries/libldap/tls_o.c:tlso_ctx_init. That
function hands over to SSL functions, and while in principle I could retrieve a
TLS session context with LDAP_OPT_X_TLS_{,SSL_}CTX, there are clear warnings
that I shouldn't be tinkering with this. The fact that I'm this deep in the
code suggests that either (a) this is not supported, or (b) I'm looking in the
wrong place.
I could in principle use functions from the OpenSSL library, like
X509_get_default_cert_dir_env(), but that requires me to know which SSL library
the libldap library was linked against (and that it was indeed OpenSSL), which
has its own complications. Also, if I'm confident I know that, I have other
ways to confirm the cert directory.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
