[Date Prev][Date Next]
(ITS#4424) misleading TLS docs
Full_Name: Howard Chu
Submission from: (NULL) (126.96.36.199)
Submitted by: hyc
This doc http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html is providing
misleading examples with insufficient explanation. It seems that people are
following it without first reading and fully understanding the Admin Guide TLS
documentation, which is counter-productive. It needs to be fixed or withdrawn.
The sample slapd.conf in section 5.1.1 displays settings that are ill-advised
(SSLv2 ciphers, TLSVerifyClient settings). It demonstrates using openssl
s_client to verify server operation, but that is inadequate since the example
doesn't actually do full certificate validation. (It's best just to use
I had reservations about this doc being published when it was first submitted; I
hate cookbooks that don't explain their rationale. I'm now seeing more and more
people being misdirected by it.
The info is also somewhat out of date, giving examples using gdbm and back-ldbm.
Really, none of that content ever belonged there. A doc about TLS ought to just
start from a working plaintext configuration and focus solely on the TLS