Re: Start TLS extended request

[Siva Kollipara <siva@CS.Arizona.EDU>]

Hi,
 thanks for your earlier response. I'd had a question earlier
regarding the use of TLS_CACERTDIR and TLS_CACERTFILE.

Is it that if I have to use ssl/tls with mandatory server authentication
TLS_CACERTFILE **MUST** be set (either thro program or ldap.conf or
.ldaprc) and TLS_CACERTDIR can **optionally** be set to a directory.

   TLS_CACERTFILE	TLS_CACERTDIR
1    null		null	 	   fails - valid reason to fail
2    null		valid directory    fails - why?
3.a  correct CA file	null		   works - ok
3.b  incorrect CA file	null		   fails - valid reason to fail
4.a  correct CA file	valid directory	   works - ok
4.b  incorrect CA file	valid directory    works - the directory has the correct CA file

I've tried these combinations and only situations where TLS_CACERTFILE is
set to a CA certficate (even some CA not included in the test picture
at all) works. for situation (2) my certificate verify fails with the
following error:

"TLS: could not load client CA list (file:`',dir:`/net_home/skollipa/server/ssl/certs/')."

Can you please help me understand as to why ?

I am confused coz "openssl s_client -connect localhost:636
-CApath=/valid/certs/dir" succeeds and everything works without complaning


thanks,
Siva