httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <>
Subject Re: LDAPTrustedClientCert?
Date Tue, 31 Oct 2006 16:12:56 GMT
On 10/31/06, Graham Leggett <> wrote:
> On Tue, October 31, 2006 1:25 am, Eric Covener wrote:
> > Looks like the openldap 2.4 series (alpha) can support this by
> > requesting a new openssl CTX
> > (ldap_set_option(...,APR_LDAP_OPT_X_TLS_NEWCTX,...) but I had to
> > explicitly call openssl's SSL_library_init(); before ldap_set_option
> > or it died creating the new context.
> >
> > (with the added calls, test program works as expected in per-connection
> > context)
> >
> > May be a limitation for util_ldap to not poke around in per-connection
> > settings for (earlier than 2.4) openldap, and some rework to flip the
> > right switches at the right time for 2.4 and better.
> The logic to try and determine which behaviour to use with which LDAP SDK
> was abstracted into apr-util, so ideally any toolkit specific fix should
> go in there.
> Not having looked at the openldap SDK for a while - at what point do we
> call ldap_set_option(...,APR_LDAP_OPT_X_TLS_NEWCTX,...) - is this done
> just before connection? Or is it done when setting the client certificate?
> Is it possible to post a diff of the code that made it work for you?

Attached is the rough patch for  what it took to get the following
kind of config to work when linked against the 2.4.3 (alpha) openldap.
  not ready for prime-time but for discussion purposes only (comments

(when using older/current openldap I think httpd has to refuse
LDAPTrustedClientCert altogether and require users code
LDAPTrustedGlobalCert exclusively)

LDAPTrustedGlobalCert CA_BASE64 /home/covener/CA.crt
LDAPTrustedGlobalCert CERT_BASE64 /home/covener/globalcert.pem
LDAPTrustedGlobalCert KEY_BASE64 /home/covener/globalcert.key

<VirtualHost *:80>
<Location /useothercert>
LDAPUrl ...
LDAPTrustedClientCert CERT_BASE64 /home/covener/othercert.pem
LDAPTrsutedClientKey  KEY_BASE64 /home/covener/othercert.key

The repeating of the apr_ldap_opt_set(global_certs) is due to  the
"new" openssl CTX no longer having the stuff we pushed into the global
environment.  No idea if this is harmless for other SDKs but I
couldn't figure out a way to push that aspect down into apr-util.

I will test w/ the mozilla SDK sometime to see how things work out
using the prescribed CERT_NICKNAME in LDAPTrustedClientCert which
might give me a better idea of how to isolate the per-directory client
certs SDK-dependent behavior.

Eric Covener

View raw message