starttls successful even after deleting CA from the ca dir

2
votes

I'm having trouble verifying the correct behavior of my software. Here are the steps I am performing to verify correct operation:

  1. I have sample code that uses openldap library and doing a start tls to a ldap server.
  2. I have set the global option for ca cert directory and tlx context for the first time.
  3. After that I did ldap int and ldap start tls to a server. This is succesful as expected.
  4. I did an ldap_unbind_s
  5. I deleted the CA cert that signed the ldap server's certificate from the ca cert directory of the client.
  6. Again did ldap_init and ldap_start_tls_s .
  7. I expected this call to fail , as I have removed the ca cert. But what I observe is that , server sends the certificate but start_tls is returning success.

I am using openldap 2.4 with libssl.0.9.8

LDAP *ld;
int desired_version=3;

if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) {
    printf("ldap_init failed\n");
    exit(0);
}

ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>");

if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
    printf("start tls failed.\n");
    exit(0);
}

...
... <do bind and search>
...

ldap_unbind_s(ld);        
...

// DELETE the CA certificate from the ca dir.    
// Try to do start tls again

if ((ld = ldap_init(hostname, server_port)) == NULL ) {
    printf("ldap_init failed , after deleting CA\n");
    exit(0);
}

// This goes fine even after deleting the CA
if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
    printf("start tls failed after deleting CA.\n");
    exit(0);
}
1
opensslldapcertificateopenldapca
The certificate is probably still loaded into the LDAP server's memory. It's a very strange thing to do: what's the purpose? - user207421
@EJP: Looks like I am not clear in my question. I have deleted the ca cert from the client. Server still has its own certificate. My question is that , during SSL handshake , client has to verify the server's certificate. For that purpose , client should have CA cert configured in it. Only then can it validate. But in this case, even though ca cert is not present , ssh handshake goes fine.This is strange. - soma sekhar
@Soma - Good question. I'm always glad to see someone trying to break their own software (especially when its high integrity). It almost sounds like a broken client. Be sure the LDAP library is not doing some clever like turning off validation, as in The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. - jww
@Soma - also, be sure to try it without loading the CA. As EJP discussed, the LDAP software or OpenSSL could be caching the deleted CA certificate. The easiest way to tell is probably to install an unrelated CA. That way, you know you have a CA cert available and that CA should fail. Go grab one of Startcom's CA certs. - jww
@jww - I tried without installing the CA certificate and start tls fails, as expected. Also , after installing the certificate and following the steps given in my quetion , the result is as mentioned in the question. But if I restart the ldap client , start tls fails. So , as EJP mentioned , caching of CA certificate shoud have been done by the client. I will go through the document pointed out by you and see if I miss something in the code. - soma sekhar

1 Answers

0
votes

You should reinitialize the TLS Context.

int is_server = 0; ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, &is_server);