[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4941) incorrect description of TLS_REQCERT setting

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4941) incorrect description of TLS_REQCERT setting
From: hyc@symas.com
Date: Mon, 30 Apr 2007 12:51:45 GMT

guenther+ldapdev@sendmail.com wrote:
> Full_Name: Philip Guenther
> Version: 2.3.27
> OS: linux and solaris
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.58.1.252)
> 
> 
> The description of the TLS_REQCERT setting in the ldap.conf(5) manpage does not
> match the actual operation of the code.  In particular:
> - clients don't 'request' server certs in TLS.  They get one if the cipher
> suite
>   uses them, otherwise they don't
> - 'allow' checks the identity of the server vs its cert (per RFC 4513,
>   section 3.1.3) and will terminate the connection if they don't match
> - 'try' is the same as 'demand' and 'hard'

Not quite. With both "allow" and "try" it's OK if the server provides no 
certificate. The difference is, with "try", if a cert is provided, it 
must be valid.
> 
> 
> Here's a possible patch to ldap.conf.5 to fix the above.  A reference to the RFC
> should perhaps be added to the text.  I was also tempted to add a sentence to
> the lead-in to clarify that the setting has no effect if the negotiated cipher
> suite doesn't use certs, as a clarification of the "if any" in the existing
> lead-in, but that's minor.  Simply having an even slightly correct description
> of 'allow' is the important thing.
> 
> --- ldap.conf.5 26 Jan 2006 05:57:49 -0000
> +++ ldap.conf.5 30 Apr 2007 08:39:53 -0000
> @@ -249,22 +249,20 @@
>  .RS
>  .TP
>  .B never
> -The client will not request or check any server certificate.
> +The client will not check the server certificate at all.
>  .TP
>  .B allow
> -The server certificate is requested. If no certificate is provided,
> -the session proceeds normally. If a bad certificate is provided, it will
> -be ignored and the session proceeds normally.
> -.TP
> -.B try
> -The server certificate is requested. If no certificate is provided,
> -the session proceeds normally. If a bad certificate is provided,
> +The client will only verify that name used to connect to the server
> +matches one of the server certificate's subjectAltName or CN values.
> +If no match is found, the session is immediately terminated.
> +.TP
> +.B try | demand | hard
> +These keywords are equivalent.
> +The client will verify the server certificate is valid and matches the
> +name used to connect (as for 'allow').
> +If a bad or mismatched certificate is provided,
>  the session is immediately terminated.
> -.TP
> -.B demand | hard
> -These keywords are equivalent. The server certificate is requested. If no
> -certificate is provided, or a bad certificate is provided, the session
> -is immediately terminated. This is the default setting.
> +This is the default setting.
>  .RE
>  .TP
>  .B TLS_CRLCHECK <level>
> 
> 
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Prev by Date: (ITS#4941) incorrect description of TLS_REQCERT setting
Next by Date: (ITS#4942) configurable filter blocking
Index(es):
- Chronological
- Thread