Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use CURLOPT_SSL_CTX_FUNCTION for LDAPS connections #4108

apique13 opened this issue Jul 10, 2019 · 3 comments

Use CURLOPT_SSL_CTX_FUNCTION for LDAPS connections #4108

apique13 opened this issue Jul 10, 2019 · 3 comments


Copy link

I did this

I'm using libcurl to manage HTTP(S), IMAP(S), POP(S), SMTP(S) and LDAP(S) connections.
I'm using CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA to initialize the list of trusted certificates for SSL. I manage myself the certificates and permits to the user to accept them with in-memory certificates.
It works perfectly for HTTP and Mails, but it has no effect for LDAPS connections.
It seems that only certificate files can be used.
I saw in ldap.c that on Windows, openldap is not used, so I tried on Linux to be sure, but only few parameters like cafile and verifypeer are used.

I expected the following

and CURLOPT_SSL_CTX_DATA (fsslctxp) could defines LDAP_OPT_X_TLS_CONNECT_ARG.
Thanks in advance.

curl/libcurl version


operating system

Linux (but if we could compile libcurl against openldap instead of WIN32_LDAP on Windows, it would be great too)

Copy link

bagder commented Jul 12, 2019

I think this situation could and should be documented (more) clearly. If we can make the option supported for LDAP as as well in the same style as the other protocols then that is certainly an enhancement that seems to be totally in place.

Copy link

apique13 commented Aug 29, 2019

I tested it again on Linux, and the CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA works, I misunderstood something, I guess.

I also made it works on Windows with WIN32_LDAP, but it requires a little change in ldap.c.
It is not exaclty the same, it is more a verify function than a context initialization.
What do you think about it ?

diff --git a/lib/ldap.c b/lib/ldap.c
index fd31faa..3b544fb 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -457,6 +457,22 @@
#ifdef USE_WIN32_LDAP
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);

  • /*
  • For WIN32_LDAP, transfer the callback
  • It must implements :
  • BOOLEAN Verifyservercert(
  •  PLDAP Connection,
  •  PCCERT_CONTEXT *pServerCert
  • )
  • @see
  •  nc-winldap-verifyservercert
  • There is no way to transmit arguments to the callback
  • (but you can access to static objects from the callback method)
  • */
  • if(data->set.ssl.fsslctx) {
  • ldap_set_option(server, LDAP_OPT_SERVER_CERTIFICATE,
  •                data->set.ssl.fsslctx);
  • }

#ifdef USE_WIN32_LDAP

Copy link

bagder commented Sep 2, 2019

Can you please submit your proposed change as a pull-request?

apique13 pushed a commit to apique13/curl that referenced this issue Sep 5, 2019
permits management of custom certificates for LDAPs connections for
issue curl#4108
@bagder bagder closed this as completed in 95d628e Feb 14, 2020
@lock lock bot locked as resolved and limited conversation to collaborators May 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

2 participants