On 23 Feb 2012, at 22:19, tBM wrote: > First let me ask for your forgiveness, I am a perl newbie. > > We have a little perl script that is currently doing cleartext authentication > against Oracle Internet Directory 10G that we've revised to use LDAPS and > have the following in our NET::LDAP component: > > verify => 'require', cafile => './OIDcertificate.pem' > > The authentication is successful, but the part in the Wireshark packet scan > where the "Certificate, Server Hello Done" is not there. It would look like > this: > > > - Certificate, Server Hello Done > Secure Socket Layer > Handshake Protocol: Certificate > Certificates > (here's where the certificate(s) are seen > > > When other products pointed to our Oracle Internet Directory (which are also > doing secure ldap) connect, the "Certificate, Server Hello Done" component is > in the packet scan. > > It looks like the verify => require is not happening.
I'm not so familiar with how Wireshark represents TLS traffic, but I think you're misinterpreting the verify setting. During a TLS connection, the server sends the client its certificate (and maybe some CA certificates). The client is expected to verify 1) that the certificate is valid - signed by a CA it trusts to sign TLS certificates - *and* 2) is for the server that the client thinks it is talking to. Setting verify to require should mean that these two steps are taken in the client. Having said that, Net::LDAP didn't used to do the final check until recent versions. I don't think changing the verify setting will cause any change in the TLS traffic. Apart from stopping it completely if the checks fail! Can you try other OpenSSL-based clients against that LDAP server? The openssl program can do it directly: openssl s_client -connect server.example.com:636 -showcerts -debug -CAfile ./OIDcertificate.pem It is important for step 2 that the hostname you are passing to Net::LDAP->new() is identical to the name in the certificate that the server returns. In other words if the server is using a certificate with 'oid.somewhere.com' then you must connect to it using that full hostname as well. (There are some ways to put wildcards in the certificate, but that's the rough idea.) Cheers, Chris
