Use CURLOPT_SSL_CTX_FUNCTION for LDAPS connections

[apique13]

I did this

Hello,
I'm using libcurl to manage HTTP(S), IMAP(S), POP(S), SMTP(S) and LDAP(S) connections.
I'm using CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA to initialize the list of trusted certificates for SSL. I manage myself the certificates and permits to the user to accept them with in-memory certificates.
It works perfectly for HTTP and Mails, but it has no effect for LDAPS connections.
It seems that only certificate files can be used.
I saw in ldap.c that on Windows, openldap is not used, so I tried on Linux to be sure, but only few parameters like cafile and verifypeer are used.

I expected the following

I think CURLOPT_SSL_CTX_FUNCTION (fsslctx) could defines LDAP_OPT_X_TLS_CONNECT_CB
and CURLOPT_SSL_CTX_DATA (fsslctxp) could defines LDAP_OPT_X_TLS_CONNECT_ARG.
Thanks in advance.

curl/libcurl version

7.65.1

operating system

Linux (but if we could compile libcurl against openldap instead of WIN32_LDAP on Windows, it would be great too)

[bagder]

I think this situation could and should be documented (more) clearly. If we can make the option supported for LDAP as as well in the same style as the other protocols then that is certainly an enhancement that seems to be totally in place.

[apique13]

I tested it again on Linux, and the CURLOPT_SSL_CTX_FUNCTION and CURLOPT_SSL_CTX_DATA works, I misunderstood something, I guess.

I also made it works on Windows with WIN32_LDAP, but it requires a little change in ldap.c.
It is not exaclty the same, it is more a verify function than a context initialization.
What do you think about it ?

diff --git a/lib/ldap.c b/lib/ldap.c
index fd31faa..3b544fb 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -457,6 +457,22 @@
}
#ifdef USE_WIN32_LDAP
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);

• /*
• For WIN32_LDAP, transfer the callback
• It must implements :
• BOOLEAN Verifyservercert(

•  PLDAP Connection,
  

•  PCCERT_CONTEXT *pServerCert
  

• )
• @see https://docs.microsoft.com/fr-fr/windows/win32/api/winldap/

•  nc-winldap-verifyservercert
  

• There is no way to transmit arguments to the callback
• (but you can access to static objects from the callback method)
• */
• if(data->set.ssl.fsslctx) {
• ldap_set_option(server, LDAP_OPT_SERVER_CERTIFICATE,

•                data->set.ssl.fsslctx);
  

• }
  #endif

#ifdef USE_WIN32_LDAP
curl_winldap.patch.txt

[bagder]

Can you please submit your proposed change as a pull-request?