Is it possible to pass extra data to VERIFYSERVERCERT?

Shane S 21 Reputation points
2021-10-30T02:51:57.92+00:00

This was also asked on SO. The Win32 LDAP API has an option to set a certificate verification callback with 

ldap_set_option(connection, LDAP_OPT_SERVER_CERTIFICATE, &callback);

where callback is a VERIFYSERVERCERT function pointer. Is there any way to get extra, per-connection data into this function? Or if not, is the callback guaranteed to be invoked on the same thread as ldap_connect so that I can put extra data in thread-local storage?

My goal is to pass a memory-backed certificate store to hAdditionalStore in CertGetCertificateChain, so some other way to do that would also work.

C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,546 questions
Accepted answer
  1. Gary Reynolds 9,391 Reputation points
    2021-10-31T22:03:39.94+00:00

    Hi @Shane S

    Yes the callback function is called in the same thread as the one that executed the ldap_connect. The callback function is passed the following parameters PLDAP, PCCERT_CONTEXT. You can then perform the required validation on the certificate, and as the return value from the callback function will be used to confirm the connection, you have full control over the verification process. I've used this functionality to delivery additional certificate validation checks for LDAPS connection explained in this article.

    Gary.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest