starttls successful even after deleting CA from the ca dir


starttls successful even after deleting CA from the ca dir



I'm having trouble verifying the correct behavior of my software. Here are the steps I am performing to verify correct operation:



I am using openldap 2.4 with libssl.0.9.8


LDAP *ld;
int desired_version=3;

if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) {
printf("ldap_init failedn");
exit(0);
}

ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>");

if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed.n");
exit(0);
}

...
... <do bind and search>
...

ldap_unbind_s(ld);
...

// DELETE the CA certificate from the ca dir.
// Try to do start tls again

if ((ld = ldap_init(hostname, server_port)) == NULL ) {
printf("ldap_init failed , after deleting CAn");
exit(0);
}

// This goes fine even after deleting the CA
if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed after deleting CA.n");
exit(0);
}





The certificate is probably still loaded into the LDAP server's memory. It's a very strange thing to do: what's the purpose?
– EJP
Aug 23 '14 at 0:22





@EJP: Looks like I am not clear in my question. I have deleted the ca cert from the client. Server still has its own certificate. My question is that , during SSL handshake , client has to verify the server's certificate. For that purpose , client should have CA cert configured in it. Only then can it validate. But in this case, even though ca cert is not present , ssh handshake goes fine.This is strange.
– soma sekhar
Aug 23 '14 at 0:31





@Soma - Good question. I'm always glad to see someone trying to break their own software (especially when its high integrity). It almost sounds like a broken client. Be sure the LDAP library is not doing some clever like turning off validation, as in The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.
– jww
Aug 23 '14 at 1:42






@Soma - also, be sure to try it without loading the CA. As EJP discussed, the LDAP software or OpenSSL could be caching the deleted CA certificate. The easiest way to tell is probably to install an unrelated CA. That way, you know you have a CA cert available and that CA should fail. Go grab one of Startcom's CA certs.
– jww
Aug 23 '14 at 1:51






@jww - I tried without installing the CA certificate and start tls fails, as expected. Also , after installing the certificate and following the steps given in my quetion , the result is as mentioned in the question. But if I restart the ldap client , start tls fails. So , as EJP mentioned , caching of CA certificate shoud have been done by the client. I will go through the document pointed out by you and see if I miss something in the code.
– soma sekhar
Aug 23 '14 at 6:44









By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

PHP contact form sending but not receiving emails

PHP contact form sending but not receiving emails I have created a contact form using PHP to send the data. The form seems to send fine as there are no errors and success message appears, however I am not receving the emails into the designated inbox. I am using PHPMailer as I originally tried just using the php 'mail' command which I now understand is a bit hit and miss. I cannot see why I would not be receving the emails so I would be very grateful for any help that could be given. I'm quite new to PHP so please be patient with me :) <?php use PHPMailerPHPMailerPHPMailer; use PHPMailerPHPMailerException; $msg = ""; if (isset($_POST['submit'])) { require 'phpmailer/src/Exception.php'; require 'phpmailer/src/PHPMailer.php'; require 'phpmailer/src/SMTP.php'; function sendemail ($to, $from, $body) { $mail = new PHPMailer(true); $mail->setFrom($from); $mail->addAddress($to); $ma...
Read more

Do graphics cards have individual ID by which single devices can be distinguished?

Do graphics cards have individual ID by which single devices can be distinguished? I have several graphics cards of the same manufacturer and same model and I want to distinguish them not only by the pcie socket they reside in but by some individual value I can read from the hardware. Is there such value and if so what would it be called and how could I access it? Right now I'm using modern nvidia cards (10xx series) and nvidia inspector.but I'd prefer if there was any value that was also applicable to amd. I have programming and scripting knowledge. I am running Windows 10 1 Answer 1 This is a powershell example to pull information from video cards. The DeviceID is supposed to be unique but only if the manufacturer supports Windows Display Driver Model (WDDM). (I copied this directly from docs.microsoft.com) $strComputer = "." $colItems = get-wmiobject -class "Win32_VideoC...
Read more

iOS Top Alignment constraint based on screen (superview) height

Image
iOS Top Alignment constraint based on screen (superview) height Let's say for example i want my view's top margin be 30 px for iPhone 6s and for the other screen i want to change this constants from 30 to X where X is proportional to total height of screen i.e. 36.5 for iPhone X, 33 for iPhone 6s plus, 25 for iPhone SE And so on .... I know i can take @IBOutlet of NSLayoutConstraint and change it programmatically but what i want is i want to set it like aspect ratio that we have for height width like subview's heigh width is proportional it's superview it changes with super view's height and width @IBOutlet NSLayoutConstraint 2 Answers 2 The constraint you need here is the superView's centerY set multiplier to 0.5 if you want the top anchor's constant to be 0.25 of screen height from the top , so adjust the multiplier according to this logic which is height_of_scre...
Read more