Hi Rene, thanks for the reply.
Well I am not sure really how this works. Here is why I am confused.
I have two windows LDAP browser clients that I did not write. One is called
Jxplorer and the other is called LDAPEditor. I also have a regular openldap
server running on a suse box that is using TLS.
The Jxplorer client, alows me to manually load the client SSL certs into the
program so that I can connect using SSL.
the LDAPEditor allows me to put in my user name and password, then check a box
that says "SSL". When I hit connect, a message pops up and says that I am
trying to connect to a LDAP server that is using a self signed cert, and if I
want to accept or reject it.
I am not sure if you are familiar with LDAP but, unsecured LDAP transferes user
name and password in clear text over the network. I need to enable SSL so that
the data is encrypted. So if I authenticate before I push the client cert down
to the client and ask for acceptance, doesn't that defeat the purpose of SSL?
At that point there is no need to use SSL because I have already transfered the
user name and password in clear text.
So wouldn't it be better for my client program, to download the client cert
first. Then prompt a user to accept or reject the cert. Then do the
authentication?
Obviously having my customer manually upload the client cert to their computer
is the best thing, but I would like to mimic the behavior of the LDAPEditor,
not
the Jxplorer.
thanks
________________________________
From: Rene Hollan <rene.hol...@watchguard.com>
To: openssl-users@openssl.org; openssl-users@openssl.org
Sent: Mon, July 26, 2010 1:43:19 PM
Subject: RE: Simple question about SSL certs
What you are asking for does not make sense. The point of the client cert is to
establish the identify of the client. If the server bootstraps this, ANY client
can connect and receive the identity.
Now, what you MAY want to do is authenticate via a different mechanism (say
account and password on a secure web server), and have it push the client cert
to you.
-----Original Message-----
From: owner-openssl-us...@openssl.org on behalf of Bryan Boone
Sent: Mon 7/26/2010 12:55 PM
To: openssl-users@openssl.org
Subject: Simple question about SSL certs
Hi everyone, I am a noob when it comes to SSL and I have an easy question but I
don't have the time to look up the answer myself.
I am trying to write an LDAP client. I need this client to use SSL as well. I
am using the openldap server and C libraries. Here is what the openldap web
page says...
OpenLDAP clients and servers are capable of using the Transport Layer Security
(TLS) framework to provide integrity and confidentiality protections and to
support LDAP authentication using the SASL EXTERNAL mechanism. TLS is defined in
RFC4346.
I would like to write an LDAP client that when a user connects to an LDAP server
with SSL, that the client cert is automatically downloaded to the client. Then
a prompt asks the client to accept or reject the cert. Is this possible when
using the OpenSSL C libraries?
thanks
