question

ShaneS-6668 avatar image
0 Votes"
ShaneS-6668 asked GaryReynolds commented

Is it possible to pass extra data to VERIFYSERVERCERT?

This was also asked on SO. The Win32 LDAP API has an option to set a certificate verification callback with

 ldap_set_option(connection, LDAP_OPT_SERVER_CERTIFICATE, &callback);

where callback is a VERIFYSERVERCERT function pointer. Is there any way to get extra, per-connection data into this function? Or if not, is the callback guaranteed to be invoked on the same thread as ldap_connect so that I can put extra data in thread-local storage?

My goal is to pass a memory-backed certificate store to hAdditionalStore in CertGetCertificateChain, so some other way to do that would also work.

c++
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If nothing else, you could maintain a global map from PLDAP to whatever additional data you need.

1 Vote 1 ·

Thanks, yeah this is my current back-up plan.

0 Votes 0 ·

1 Answer

GaryReynolds avatar image
0 Votes"
GaryReynolds answered GaryReynolds commented

Hi @ShaneS-6668

Yes the callback function is called in the same thread as the one that executed the ldap_connect. The callback function is passed the following parameters PLDAP, PCCERT_CONTEXT. You can then perform the required validation on the certificate, and as the return value from the callback function will be used to confirm the connection, you have full control over the verification process. I've used this functionality to delivery additional certificate validation checks for LDAPS connection explained in this article.

Gary.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes the callback function is called in the same thread as the one that executed the ldap_connect.

Thanks! Is this documented somewhere? Or if not, how did you verify this? I've been looking through the docs and haven't found anything about it.

0 Votes 0 ·

Hi,

I added breakpoints to the ldap_connect and callback calls in NetTools and confirmed that they were in the same thread.

Gary.

0 Votes 0 ·