[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4941) incorrect description of TLS_REQCERT setting

Full_Name: Philip Guenther
Version: 2.3.27
OS: linux and solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (64.58.1.252)


The description of the TLS_REQCERT setting in the ldap.conf(5) manpage does not
match the actual operation of the code.  In particular:
- clients don't 'request' server certs in TLS.  They get one if the cipher
suite
  uses them, otherwise they don't
- 'allow' checks the identity of the server vs its cert (per RFC 4513,
  section 3.1.3) and will terminate the connection if they don't match
- 'try' is the same as 'demand' and 'hard'


Here's a possible patch to ldap.conf.5 to fix the above.  A reference to the RFC
should perhaps be added to the text.  I was also tempted to add a sentence to
the lead-in to clarify that the setting has no effect if the negotiated cipher
suite doesn't use certs, as a clarification of the "if any" in the existing
lead-in, but that's minor.  Simply having an even slightly correct description
of 'allow' is the important thing.

--- ldap.conf.5 26 Jan 2006 05:57:49 -0000
+++ ldap.conf.5 30 Apr 2007 08:39:53 -0000
@@ -249,22 +249,20 @@
 .RS
 .TP
 .B never
-The client will not request or check any server certificate.
+The client will not check the server certificate at all.
 .TP
 .B allow
-The server certificate is requested. If no certificate is provided,
-the session proceeds normally. If a bad certificate is provided, it will
-be ignored and the session proceeds normally.
-.TP
-.B try
-The server certificate is requested. If no certificate is provided,
-the session proceeds normally. If a bad certificate is provided,
+The client will only verify that name used to connect to the server
+matches one of the server certificate's subjectAltName or CN values.
+If no match is found, the session is immediately terminated.
+.TP
+.B try | demand | hard
+These keywords are equivalent.
+The client will verify the server certificate is valid and matches the
+name used to connect (as for 'allow').
+If a bad or mismatched certificate is provided,
 the session is immediately terminated.
-.TP
-.B demand | hard
-These keywords are equivalent. The server certificate is requested. If no
-certificate is provided, or a bad certificate is provided, the session
-is immediately terminated. This is the default setting.
+This is the default setting.
 .RE
 .TP
 .B TLS_CRLCHECK <level>