Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use CURLOPT_SSL_CTX_FUNCTION for LDAPS connections #4108

Closed
apique13 opened this issue Jul 10, 2019 · 3 comments
Closed

Use CURLOPT_SSL_CTX_FUNCTION for LDAPS connections #4108

apique13 opened this issue Jul 10, 2019 · 3 comments

Comments

@apique13
Copy link

I did this

Hello,
I'm using libcurl to manage HTTP(S), IMAP(S), POP(S), SMTP(S) and LDAP(S) connections.
I'm using CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA to initialize the list of trusted certificates for SSL. I manage myself the certificates and permits to the user to accept them with in-memory certificates.
It works perfectly for HTTP and Mails, but it has no effect for LDAPS connections.
It seems that only certificate files can be used.
I saw in ldap.c that on Windows, openldap is not used, so I tried on Linux to be sure, but only few parameters like cafile and verifypeer are used.

I expected the following

I think CURLOPT_SSL_CTX_FUNCTION (fsslctx) could defines LDAP_OPT_X_TLS_CONNECT_CB
and CURLOPT_SSL_CTX_DATA (fsslctxp) could defines LDAP_OPT_X_TLS_CONNECT_ARG.
Thanks in advance.

curl/libcurl version

7.65.1

operating system

Linux (but if we could compile libcurl against openldap instead of WIN32_LDAP on Windows, it would be great too)

@bagder
Copy link
Member

bagder commented Jul 12, 2019

I think this situation could and should be documented (more) clearly. If we can make the option supported for LDAP as as well in the same style as the other protocols then that is certainly an enhancement that seems to be totally in place.

@apique13
Copy link
Author

apique13 commented Aug 29, 2019

I tested it again on Linux, and the CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA works, I misunderstood something, I guess.

I also made it works on Windows with WIN32_LDAP, but it requires a little change in ldap.c.
It is not exaclty the same, it is more a verify function than a context initialization.
What do you think about it ?

diff --git a/lib/ldap.c b/lib/ldap.c
index fd31faa..3b544fb 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -457,6 +457,22 @@
}
#ifdef USE_WIN32_LDAP
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);

  • /*
  • For WIN32_LDAP, transfer the callback
  • It must implements :
  • BOOLEAN Verifyservercert(
  •  PLDAP Connection,
    
  •  PCCERT_CONTEXT *pServerCert
    
  • )
  • @see https://docs.microsoft.com/fr-fr/windows/win32/api/winldap/
  •  nc-winldap-verifyservercert
    
  • There is no way to transmit arguments to the callback
  • (but you can access to static objects from the callback method)
  • */
  • if(data->set.ssl.fsslctx) {
  • ldap_set_option(server, LDAP_OPT_SERVER_CERTIFICATE,
  •                data->set.ssl.fsslctx);
    
  • }
    #endif

#ifdef USE_WIN32_LDAP
curl_winldap.patch.txt

@bagder
Copy link
Member

bagder commented Sep 2, 2019

Can you please submit your proposed change as a pull-request?

apique13 pushed a commit to apique13/curl that referenced this issue Sep 5, 2019
permits management of custom certificates for LDAPs connections for
issue curl#4108
@bagder bagder closed this as completed in 95d628e Feb 14, 2020
@lock lock bot locked as resolved and limited conversation to collaborators May 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants