search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.56k stars 4.54k forks source link

[API Proposal]: LdapSessionOptions.CaCertificates Property #104260

Open onmp opened 6 days ago

onmp commented 6 days ago

Background and motivation

This is to provide a way for those who may not have the privilege to administer the system CA certificates store or those who do not want to add entries to the system CA stores permanently be able to verify the server certificate. This also addresses specifically that LdapSessionOptions.VerifyServerCertificates property is not supported on Linux and MAC OS for .NET CORE.

API Proposal



Definition

Namespace:
    System.DirectoryServices.Protocols 

Assembly:
    System.DirectoryServices.Protocols.dll

The property CaCertificate contains a X509CertificateCollection object with one or more CA certificates to use to verify server certificates when an SSL connection is established.

C#
public System.Security.Cryptography.X509Certificates.X509CertificateCollection CaCertificates { set; }

Property value
CaCertficates

CA certificates to verify server certificate.

### API Usage

```csharp

LdapDirectoryIdentifier identifier = new LdapDirectoryIdentifier("192.168.10.100", 3060, false, false);
using (LdapConnection ldapConnection = new LdapConnection(identifier))
            {
                ldapConnection.SessionOptions.ProtocolVersion = 3;
                ldapConnection.AuthType = AuthType.Basic; 
        ldapConnection.Credential = new NetworkCredential("admin", "SomePassword");
        ldapConnection.ClientCertificates.AddRange(myCert);
        ldapConnection.SessionOptions.CaCertificates.AddRange(CaCerts);
        ldapConnection.Bind();
        }

### Alternative Designs

Have LdapSessionOptions.VerifyServerCertificates be functional.

### Risks

The risk is minimal because no current application is using this property.
dotnet-policy-service[bot] commented 6 days ago

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014 See info in area-owners.md if you want to be subscribed.

filipnavara commented 6 days ago

I think this is misguided. There's an existing API for certificate validation (LdapSessionOptions.VerifyServerCertificates) that follows established pattern used by other classes like SslStream or HttpClientHandler. The reason it's not implemented on non-Windows system is the lack or corresponding API in the native system LDAP library (*). The API proposed above would still suffer from the same underlying issue which is lack of certificate control at the lower level system API.

(*) See https://github.com/dotnet/runtime/issues/60972 for details.

steveharter commented 4 days ago

Per offline discussion with @buyaa-n, moving to future. Please close if there is a valid alternative.

buyaa-n commented 2 days ago

This is to provide a way for those who may not have the privilege to administer the system CA certificates store or those who do not want to add entries to the system CA stores permanently be able to verify the server certificate. This also addresses specifically that LdapSessionOptions.VerifyServerCertificates property is not supported on Linux and MAC OS for .NET CORE.

@onmp could you collaborate more on how you imagine this SessionOption.CaCertificates would work further to replace LdapSessionOptions.VerifyServerCertificates on Linux?

dotnet-policy-service[bot] commented 2 days ago

This issue has been marked needs-author-action and may be missing some important information.

buyaa-n commented 1 hour ago

@onmp as a work around, could you set the env variable LDAPTLS_CACERTDIR with the path where your CA certificates are located and run your client app?