httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <>
Subject Re: LDAPTrustedClientCert?
Date Mon, 30 Oct 2006 23:25:32 GMT
On 10/30/06, Graham Leggett <> wrote:
> Eric Covener wrote:
> > Some research shows only alpha releases of openldap even pretend to
> > allow the CERTFILE/KEYFILE on a per-connection (i.e. LDAP*) basis --
> > the latest "stable" and "released" levels (2.3.28, 2.3.27)
> > ldap_pvt_tls_set_option will  explicitly bail out of the
> > CERTFILE/KEYFILE options if the LDAP* parameter is set (unset=global).
> > This manifests as a bad rc from ldap_set_option().
> >
> > util_ldap doesn't hit this condition because it never calls anything
> > on a per-connection basis, despite documentation.
> > 1) util_ldap ignores LDAPTrustedClientCert if it's in a vhost (loses
> > track of it)
> > 2) util_ldap treats LDAPTrustedClientCert as LDAPTrustedGlobalCert if
> > it's in the base server (consequence of how it's stashed away and
> > retrieved)
> > 3) util_ldap doesn't accept LDAPTrustedClientCert in a directory container
> >
> > Using a small test program and the alpha openldap (2.4.3), setting a
> > global CA and per-connection client cert/key got a little farther, but
> > openldap ended up sending out a client-certificate handshake messages
> > with 0-length client cert (as compared to doing the same
> > initialization globally and seeing the proper client cert go out over
> > the wire).
> >
> > Almost seems like openldap per-connection settings for SSL are a dead
> > end at this time, unless I'm getting extremely unlucky.
> Sorry for now getting back to you on this, I have been embroiled in
> cache-land.
> One thing I discovered when trying to unravel the different LDAP
> toolkits is that support for the different toolkits for SSL client certs
> is very patchy.
> Ideally if we can figure out whether mod*ldap is at fault for not
> passing in the required certs at the right time, we can try and figure
> out whether a bug exists in mod*ldap, or in openldap, or both.

Looks like the openldap 2.4 series (alpha) can support this by
requesting a new openssl CTX
(ldap_set_option(...,APR_LDAP_OPT_X_TLS_NEWCTX,...) but I had to
explicitly call openssl's SSL_library_init(); before ldap_set_option
or it died creating the new context.

(with the added calls, test program works as expected in per-connection context)

May be a limitation for util_ldap to not poke around in per-connection
settings for (earlier than 2.4) openldap, and some rework to flip the
right switches at the right time for 2.4 and better.

Eric Covener

View raw message