Here we will see how to establish a secure connection using OpenLDAP. OpenLDAP provides set of "set" options through which we can enable the CRL check, supply required certificates and we can set the verify call back. Using this verify call back we can control OpenLDAP behavior on each certificate verification.
Below example is a typical client process which is providing CA certificate and during TLS connection server will be sending the EE (along with intermediate certificates) to form a complete chain. During the connection negotiation, these certificates are validated.
Once the CRL check is enabled, during certificate verification, OpenSSL calls default call back which has the default implementation of breaking the verification once the error occurred.
Here in the below example, we are registering LDAP call back, using this we will get access to SSL store objects and we can set the SSL call back. In the SSL verify call back we will ignore some set of errors like X509_V_ERR_UNABLE_TO_GET_CRL", "X509_V_ERR_CRL_HAS_EXPIRED", "X509_V_ERR_CRL_NOT_YET_VALID" and proceed with the connection.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <ldap.h> | |
| #include <openssl/ssl.h> | |
| #include <openssl/x509v3.h> | |
| #include <openssl/err.h> | |
| static int verify_callback(int ok, X509_STORE_CTX *ctx) | |
| { | |
| //return 0 - stop verification | |
| // 1 - OK. continue | |
| if (ok) | |
| { | |
| //Current cert is Ok. so proceed with next cert. | |
| return ok; | |
| } | |
| X509* cert = X509_STORE_CTX_get_current_cert(ctx); | |
| long serialNum = ASN1_INTEGER_get(X509_get_serialNumber(cert)); | |
| char* subjectid= X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); | |
| int sslRet = X509_STORE_CTX_get_error(ctx); | |
| const char* err = NULL; | |
| switch (sslRet) | |
| { | |
| case X509_V_ERR_UNABLE_TO_GET_CRL: | |
| case X509_V_ERR_CRL_HAS_EXPIRED: | |
| case X509_V_ERR_CRL_NOT_YET_VALID: | |
| printf( "CRL: Verification faield... but ignored : %d\n", sslRet); | |
| return 1; | |
| default: | |
| err = X509_verify_cert_error_string(sslRet); | |
| if (err) | |
| printf( "CRL: Failed to verify : %s\n",err); | |
| return 0; | |
| } | |
| return 0; | |
| } | |
| void ldap_tls_cb(LDAP * ld, SSL * ssl, SSL_CTX * ctx, void * arg) | |
| { | |
| *((SSL **)arg) = ssl; | |
| SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER , verify_callback); | |
| SSL_set_verify(ssl, SSL_VERIFY_PEER , verify_callback); | |
| printf("verify call back is set...\n"); | |
| return; | |
| } | |
| int doCrlCheck() | |
| { | |
| LDAP *ldap; | |
| int auth_method = LDAP_AUTH_SIMPLE; //LDAP_AUTH_SASL | |
| int ldap_version = LDAP_VERSION3; | |
| char *ldap_host = "10.111.11.11"; | |
| int ldap_port = 389; | |
| if ( (ldap = ldap_init(ldap_host, ldap_port)) == NULL ) { | |
| perror( "ldap_init failed" ); | |
| return( EXIT_FAILURE ); | |
| } | |
| int result = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version); | |
| if (result != LDAP_OPT_SUCCESS ) { | |
| ldap_perror(ldap, "ldap_set_option failed!"); | |
| return(EXIT_FAILURE); | |
| } | |
| //deman cert chain during connection | |
| int requireCert = LDAP_OPT_X_TLS_DEMAND; | |
| result = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &requireCert); | |
| if (result != LDAP_OPT_SUCCESS ) { | |
| ldap_perror(ldap, "ldap_set_option - req cert -failed!"); | |
| return(EXIT_FAILURE); | |
| } | |
| //add ca cert (for clients) | |
| result = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/certs/Cert.pem"); | |
| if (result != LDAP_OPT_SUCCESS ) { | |
| ldap_perror(ldap, "ldap_set_option - cert file - failed!"); | |
| return(EXIT_FAILURE); | |
| } | |
| //enable crl check | |
| int crlvalue = LDAP_OPT_X_TLS_CRL_ALL; | |
| result =ldap_set_option(NULL, LDAP_OPT_X_TLS_CRLCHECK, &crlvalue); | |
| if (result != LDAP_OPT_SUCCESS ) { | |
| ldap_perror(ldap, "ldap_set_option failed!"); | |
| return(EXIT_FAILURE); | |
| } | |
| //set debug --> only for debug purpose | |
| int debug = 7; | |
| ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug); | |
| //set ssl ctx | |
| SSL* ssl_ctx = NULL | |
| ldap_set_option(ldap, LDAP_OPT_X_TLS_CONNECT_ARG, &ssl_ctx ); | |
| //set the connect call back | |
| result = ldap_set_option(ldap, LDAP_OPT_X_TLS_CONNECT_CB, (void *)ldap_tls_cb); | |
| if (result != LDAP_SUCCESS) { | |
| fprintf(stderr, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_CB): %s\n", ldap_err2string(result)); | |
| return(1); | |
| } | |
| //start tls | |
| int msgidp = 0; | |
| result = ldap_start_tls(ldap,NULL,NULL,&msgidp); | |
| if (result != LDAP_OPT_SUCCESS ) { | |
| ldap_perror(ldap, "start tls failed!"); | |
| return result; | |
| } | |
| LDAPMessage *resultm; | |
| struct timeval timeout; | |
| result = ldap_result(ldap, msgidp, 0, &timeout, &resultm ); | |
| if ( result == -1 || result == 0 ) { | |
| printf("ldap_result failed;retC=%d \n", result); | |
| return result; | |
| } | |
| result = ldap_parse_extended_result(ldap, resultm, NULL, NULL, 0 ); | |
| if ( result == LDAP_SUCCESS ) { | |
| //Actual CRL check and tls connection happens here. | |
| result = ldap_install_tls (ldap); | |
| } | |
| int request_id = 0; | |
| result = ldap_sasl_bind(ldap, "", LDAP_SASL_SIMPLE, NULL, 0, 0, &request_id); | |
| if ( result != LDAP_SUCCESS ) { | |
| fprintf(stderr, "ldap_x_bind_s: %s\n", ldap_err2string(result)); | |
| printf("LDAP bind error .. %d\n", result); | |
| return(EXIT_FAILURE); | |
| } | |
| printf("LDAP connection successful.\n"); | |
| //do ldap_search and required operations here | |
| ldap_unbind(ldap); | |
| return(0); | |
| } |