[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4941) incorrect description of TLS_REQCERT setting

On Mon, 30 Apr 2007, Howard Chu wrote:
> guenther+ldapdev@sendmail.com wrote:
>> - 'allow' checks the identity of the server vs its cert (per RFC 4513,
>>   section 3.1.3) and will terminate the connection if they don't match
>> - 'try' is the same as 'demand' and 'hard'
> Not quite. With both "allow" and "try" it's OK if the server provides no 
> certificate.

That's true of 'demand' and 'hard' as well.  The only difference between 
'try' and 'demand' in the code is that the latter passes 
SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that 
flag has NO EFFECT on SSL clients.  This is documented on the 
SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source 
for it.

If you don't believe me, I suggest you try configuring your server to 
accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null) 
and give ldapsearch a whirl with

in your environment.  That's what I did.

Philip Guenther