[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4941) incorrect description of TLS_REQCERT setting

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4941) incorrect description of TLS_REQCERT setting
From: guenther@sendmail.com
Date: Mon, 30 Apr 2007 16:27:47 GMT

On Mon, 30 Apr 2007, Howard Chu wrote:
> guenther+ldapdev@sendmail.com wrote:
...
>> - 'allow' checks the identity of the server vs its cert (per RFC 4513,
>>   section 3.1.3) and will terminate the connection if they don't match
>> - 'try' is the same as 'demand' and 'hard'
>
> Not quite. With both "allow" and "try" it's OK if the server provides no 
> certificate.

That's true of 'demand' and 'hard' as well.  The only difference between 
'try' and 'demand' in the code is that the latter passes 
SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that 
flag has NO EFFECT on SSL clients.  This is documented on the 
SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source 
for it.

If you don't believe me, I suggest you try configuring your server to 
accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null) 
and give ldapsearch a whirl with
 	LDAPTLS_REQCERT=hard
 	LDAPTLS_CIPHER_SUITE=ADH-AES256-SHA

in your environment.  That's what I did.

Philip Guenther

Prev by Date: (ITS#4942) configurable filter blocking
Next by Date: Re: (ITS#4942) configurable filter blocking
Index(es):
- Chronological
- Thread