Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
LDAPS via Oracle Internet Directory
16 views
Skip to first unread message
tBM
Feb 23, 2012, 5:19:22 PM2/23/12
to perl...@perl.org
First let me ask for your forgiveness, I am a perl newbie.
We have a little perl script that is currently doing cleartext
authentication against Oracle Internet Directory 10G that we've revised
to use LDAPS and have the following in our NET::LDAP component:
verify => 'require', cafile => './OIDcertificate.pem'
The authentication is successful, but the part in the Wireshark packet
scan where the "Certificate, Server Hello Done" is not there. It would
look like this:
- Certificate, Server Hello Done
Secure Socket Layer
Handshake Protocol: Certificate
Certificates
(here's where the certificate(s) are seen
When other products pointed to our Oracle Internet Directory (which are
also doing secure ldap) connect, the "Certificate, Server Hello Done"
component is in the packet scan.
It looks like the verify => require is not happening.
Thoughts / suggestions,
Thanks,
tBM
We have a little perl script that is currently doing cleartext
authentication against Oracle Internet Directory 10G that we've revised
to use LDAPS and have the following in our NET::LDAP component:
verify => 'require', cafile => './OIDcertificate.pem'
The authentication is successful, but the part in the Wireshark packet
scan where the "Certificate, Server Hello Done" is not there. It would
look like this:
- Certificate, Server Hello Done
Secure Socket Layer
Handshake Protocol: Certificate
Certificates
(here's where the certificate(s) are seen
When other products pointed to our Oracle Internet Directory (which are
also doing secure ldap) connect, the "Certificate, Server Hello Done"
component is in the packet scan.
It looks like the verify => require is not happening.
Thoughts / suggestions,
Thanks,
tBM
Chris Ridd
Feb 25, 2012, 5:32:19 AM2/25/12
to tBM, perl...@perl.org
During a TLS connection, the server sends the client its certificate (and maybe some CA certificates). The client is expected to verify 1) that the certificate is valid - signed by a CA it trusts to sign TLS certificates - *and* 2) is for the server that the client thinks it is talking to.
Setting verify to require should mean that these two steps are taken in the client. Having said that, Net::LDAP didn't used to do the final check until recent versions.
I don't think changing the verify setting will cause any change in the TLS traffic. Apart from stopping it completely if the checks fail!
Can you try other OpenSSL-based clients against that LDAP server? The openssl program can do it directly:
openssl s_client -connect server.example.com:636 -showcerts -debug -CAfile ./OIDcertificate.pem
It is important for step 2 that the hostname you are passing to Net::LDAP->new() is identical to the name in the certificate that the server returns. In other words if the server is using a certificate with 'oid.somewhere.com' then you must connect to it using that full hostname as well. (There are some ways to put wildcards in the certificate, but that's the rough idea.)
Cheers,
Chris
0 new messages