Re: (ITS#4424) misleading TLS docs

[Kurt@OpenLDAP.org]

I've made some revisions to /pub to be more clear that
papers published in here are independent submissions.

I've also updated the entry for this paper as well
as added a note.

One might also notice that the entry listed the
paper's first H1 as the paper's title (as provided in
the paper's headers).  I've corrected the entry and the
first H1 to be identical to the paper's title.

Suggestions on how to improve the /pub page, any particular
listing, and any note added to any paper welcomed.

Comments on how to actually improve any particular paper
should be sent to the author as they maintain change
control in their submissions.

Kurt

At 02:09 AM 3/4/2006, hyc@OpenLDAP.org wrote:
>Full_Name: Howard Chu
>Version: 
>OS: 
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (24.126.120.178)
>Submitted by: hyc
>
>
>This doc http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html is providing
>misleading examples with insufficient explanation. It seems that people are
>following it without first reading and fully understanding the Admin Guide TLS
>documentation, which is counter-productive. It needs to be fixed or withdrawn.
>
>The sample slapd.conf in section 5.1.1 displays settings that are ill-advised
>(SSLv2 ciphers, TLSVerifyClient settings). It demonstrates using openssl
>s_client to verify server operation, but that is inadequate since the example
>doesn't actually do full certificate validation. (It's best just to use
>ldapsearch -d7.) 
>
>I had reservations about this doc being published when it was first submitted; I
>hate cookbooks that don't explain their rationale. I'm now seeing more and more
>people being misdirected by it.
>
>The info is also somewhat out of date, giving examples using gdbm and back-ldbm.
>Really, none of that content ever belonged there. A doc about TLS ought to just
>start from a working plaintext configuration and focus solely on the TLS
>configuration issues.