starttls successful even after deleting CA from the ca dir

北慕城南 提交于 2021-01-27 22:51:12

问题


I'm having trouble verifying the correct behavior of my software. Here are the steps I am performing to verify correct operation:

  1. I have sample code that uses openldap library and doing a start tls to a ldap server.
  2. I have set the global option for ca cert directory and tlx context for the first time.
  3. After that I did ldap int and ldap start tls to a server. This is succesful as expected.
  4. I did an ldap_unbind_s
  5. I deleted the CA cert that signed the ldap server's certificate from the ca cert directory of the client.
  6. Again did ldap_init and ldap_start_tls_s .
  7. I expected this call to fail , as I have removed the ca cert. But what I observe is that , server sends the certificate but start_tls is returning success.

I am using openldap 2.4 with libssl.0.9.8

LDAP *ld;
int desired_version=3;

if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) {
    printf("ldap_init failed\n");
    exit(0);
}

ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>");

if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
    printf("start tls failed.\n");
    exit(0);
}

...
... <do bind and search>
...

ldap_unbind_s(ld);        
...

// DELETE the CA certificate from the ca dir.    
// Try to do start tls again

if ((ld = ldap_init(hostname, server_port)) == NULL ) {
    printf("ldap_init failed , after deleting CA\n");
    exit(0);
}

// This goes fine even after deleting the CA
if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
    printf("start tls failed after deleting CA.\n");
    exit(0);
}

回答1:


You should reinitialize the TLS Context.

int is_server = 0; ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, &is_server);



来源:https://stackoverflow.com/questions/25457034/starttls-successful-even-after-deleting-ca-from-the-ca-dir

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!