Educating yourself does not mean that you were stupid in the first place; it means that you are intelligent enough to know that there is plenty left to 'learn'. -Melanie Joy

Friday, 23 June 2017

OpenLDAP - How to enable CRL check for LDAP TLS connections?

June 23, 2017 Posted by Dinesh , , , , , ,
Refer the old post to understand more about certificate chain verification and CRL.

Here we will see how to establish a secure connection using OpenLDAP. OpenLDAP provides set of "set" options through which we can enable the CRL check, supply required certificates and we can set the verify call back. Using this verify call back we can control OpenLDAP behavior on each certificate verification.

Below example is a typical client process which is providing CA certificate and during TLS connection server will be sending the EE (along with intermediate certificates) to form a complete chain. During the connection negotiation, these certificates are validated.

Once the CRL check is enabled, during certificate verification, OpenSSL calls default call back which has the default implementation of breaking the verification once the error occurred.

Here in the below example, we are registering LDAP call back, using this we will get access to SSL store objects and we can set the SSL call back. In the SSL verify call back we will ignore some set of errors like  X509_V_ERR_UNABLE_TO_GET_CRL", "X509_V_ERR_CRL_HAS_EXPIRED", "X509_V_ERR_CRL_NOT_YET_VALID"  and proceed with the connection.

Note:  For some reason, when the "doCrlCheck()" is called for the first time, the default call back itself is called. Overwritten call back is called only from the second call to this function. Still investigating...