[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7856) TLS_REQCERT try is same as TLS_REQCERT hard?
From: jsynacek@redhat.com
Date: Mon, 19 May 2014 06:58:23 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 05/16/2014 09:11 AM, pguenther@proofpoint.com wrote:
> Full_Name: Philip Guenther
> Version: 2.4.39
> OS: OpenBSD
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (76.253.0.176)
> 
> 
> The ldap.conf(5) manpage says this about TLS_REQCERT
>        TLS_REQCERT <level>
>               Specifies what checks to perform on server certificates in a TLS
>               session, if any. The <level> can be specified as one of the
>               following keywords:
> ...
> 
>               try    The server certificate is requested. If no certificate is
>                      provided, the session proceeds normally. If a bad
>                      certificate is provided, the session is immediately
>                      terminated.
> 
>               demand | hard
>                      These keywords are equivalent. The server certificate is
>                      requested. If no certificate is provided, or a bad
>                      certificate is provided, the session is immediately
>                      terminated. This is the default setting.
> 
> 
> In testing, I can find no difference in behavior between the 'try' and 'hard'
> keywords.  For the ldap* tools, both 'try' and 'hard' seem to place the same
> requirements on the server.  What does "if no certificate is provided" *mean* in
> terms of server and/or client configuration?
> 

See ITS#7744.

-- 
Jan Synacek
Software Engineer, Red Hat

Prev by Date: Re: (ITS#7842) mdb readers/writer exclusion protocol, as implemented, is racy.
Next by Date: (ITS#7857) let openldap build against the bionic libc
Index(es):
- Chronological
- Thread